Google simply disclosed a vulnerability that targets iPhone crypto wallets and will have affected an estimated 270 million Apple units.
The DarkSword exploit, which strings collectively a number of zero-day vulnerabilities, remains to be reside immediately and impacts iPhones working iOS 18.4 by means of 18.7, updates that have been launched between April and September final yr.
Up-to-date Apple units use iOS 26.3.1. Nonetheless, as a result of many individuals don’t mechanically improve, 24% of all iPhones nonetheless use iOS 18 in keeping with Apple’s personal information.
DarkSword permits hackers to orchestrate six vulnerabilities collectively to silently compromise units, dump their Keychain databases, and vacuum up crypto pockets information.
Often focused apps by DarkSword hackers embrace crypto wallets MetaMask, Phantom, and dozens of others by Coinbase, Ledger, and extra. Visiting a poisoned web site in Safari is all it takes to set off the assault.
Google’s Menace Intelligence Group has noticed Russian state-linked hackers, a Turkish surveillance vendor, and one other risk cluster wielding DarkSword in opposition to targets in Saudi Arabia, Turkey, Malaysia, and Ukraine since no less than November 2025.
Zero-day entry to iPhone crypto pockets recordsdata
DarkSword isn’t a keylogger or clipboard sniffer; it positive aspects kernel-level entry, then injects JavaScript into privileged iOS system processes to pillage the gadget.
The sinister toolkit hunts particularly for crypto pockets recordsdata, scanning for apps matching phrases like “metamask,” “ledger,” “trezor,” “phantom,” “coinbase,” “binance,” and “kraken.” It grabs no matter pockets information it finds.
It will probably additionally pull the gadget’s Keychain database which is an Apple system-level storage service for passwords.
DarkSword can even entry WiFi passwords, iCloud information, Safari cookies, iMessages, WhatsApp histories, name logs, location histories, images, and encryption keys defending saved credentials known as keybags.
Google disclosed that the DarkSword iOS exploit chain has been extensively used since late 2025 to compromise iPhones (iOS 18.4–18.7). One payload, GHOSTBLADE, can extract cryptocurrency pockets information and credentials alongside different delicate info. Google warned that unpatched… pic.twitter.com/9yu5j3VlR0
— Wu Blockchain (@WuBlockchain) March 20, 2026
All six vulnerabilities have now acquired patches if an iPhone person upgrades their working system.
Apple addressed most in iOS 18.7.2 and 18.7.3. Nonetheless, if their passwords, recordsdata, or crypto pockets information have already been stolen, all of these credentials and private safety implications must be re-secured.
