Apple iOS Malware Targets Crypto Apps on Unpatched iPhones: Google
The DarkSword exploit chain affects older versions of iOS 18, delivering malware that specifically hunts for exchange and wallet apps.
By Decrypt AgentEdited by Stephen GravesMar 20, 2026Mar 20, 20262 min read
In brief
- Google researchers have identified an iOS exploit chain called DarkSword that works against iPhones running iOS versions 18.4 through 18.7.
- The exploit can be used to deliver Ghostblade malware that specifically targets crypto exchange and wallet apps.
- Campaigns using DarkSword have been observed in Saudi Arabia, Turkey, Malaysia, and Ukraine, with some attacks compromising government websites.
Google researchers have identified an iOS exploit chain being used in the wild that can be used to deliver malware that specifically targets cryptocurrency apps on vulnerable iPhones.
The exploit, dubbed DarkSword, leverages six vulnerabilities to deploy malware on devices running iOS versions 18.4 through 18.7, according to the research.
Once a user visits a malicious or compromised website with a vulnerable device, the exploit is used to deploy malware, including a JavaScript-based data stealer called Ghostblade that actively seeks out major crypto exchange apps such as Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC.
Ghostblade also hunts for popular crypto wallet applications including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe, while simultaneously exfiltrating SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari cookies and browsing history, location data, health data, photos, saved passwords, and message history from Telegram and WhatsApp.
Multiple actors are deploying the exploit, ranging from commercial spyware vendors to state-backed groups, with campaigns observed in Saudi Arabia using a fake Snapchat lookalike, and in Ukraine through compromised websites including a government site.
Ghostblade is designed for quick data theft rather than long-term surveillance—it collects all available data, then deletes its temporary files and terminates itself.
This is the latest in a wave of malware targeting crypto users, including the Inferno Drainer malware that stole some $9 million from crypto users over a six-month period last year, and a campaign that saw counterfeit Android smartphones pre-loaded with crypto-stealing malware.
