Google warns DarkSword iOS exploit can steal crypto wallet data. Users must update iPhones to avoid theft and security risks.
Google has warned iPhone users about a dangerous hacking attack called DarkSword. The attack can allow access to some iPhones and steal important data, including the details of crypto-wallets. According to Google, the exploit has been in use since late 2025 and it affects devices that are running the iOS 18.4 to 18.7. Users are highly recommended to update their phones to be safe.
DarkSword Exploit Targets Older iPhones
Google Threat Intelligence Group said DarkSword is a complete exploit chain that exploits a number of security flaws. The attack employs six different vulnerabilities to control a device. Once inside, hackers are able to execute special malware without the user noticing anything.
Google disclosed that the DarkSword iOS exploit chain has been widely used since late 2025 to compromise iPhones (iOS 18.4–18.7). One payload, GHOSTBLADE, can extract cryptocurrency wallet data and credentials alongside other sensitive information. Google warned that unpatched… pic.twitter.com/9yu5j3VlR0
— Wu Blockchain (@WuBlockchain) March 20, 2026
The exploit operates by a technique known as watering hole attack. In this attack, a person needs to only visit a hacked website in order to become infected. There is no download or click needed. Because of its ability to operate within normal system processes, the malware is quite difficult to detect.
Related Reading: Trust Wallet Launches Address Poisoning Protection to Combat Rising Crypto Scams – Ledger Tribune
Researchers discovered that there are different countries where DarkSword has been used, including Saudi Arabia, Turkey, Malaysia, and Ukraine. Google’s belief is that there were attacks originating from surveillance companies and state-sponsored groups. The exploit chain has been in operation since at least November 2025.
After the attack is successful, hackers can install malware (GhOsToBLADE, GHOsToKNiFe, GHOsToSABeR and so on). These tools give the attacker the ability to steal sensitive data and by removing any trace of the attack. This makes it hard to track the hack once it has occurred.
Crypto Wallets and Personal Data at Risk
One of the greatest threats from the DarkSword attack is the theft of cryptocurrency. The malware can search the phone for wallets apps and exchange accounts. It can then pick up login details, keys and other important data.
Researchers said that the malware is capable of targeting many popular crypto services. Some of these include Coinbase, Binance, Kraken, KuCoin, OKX and MEXC. It also has the ability to gather information from wallets like MetaMask, Ledger, Trezor, Exodus, Phantom, Uniswap.
The attack does not end with crypto, though. It can also be used to steal messages, photos, browser history, and stored passwords. Some reports indicate that it can even access chat apps and health data stored on the phone. Because of this, the attack is considered to be very serious.
Experts think there could still be millions of devices at risk. Estimates are that between 220 million and 270 million iPhones are still running an older version of iOS. These devices may not have the security fixes required to block the attack.
Google Urges Users to Update Devices
Google said Apple has already solved the problems in newer versions of iOS. The company disclosed the flaws in late 2025 and patches were released afterward. Users are advised to download the latest version of iOS as soon as possible.
For individuals unable to update immediately, experts recommend that one use Lockdown Mode. This special setting provides additional protection from advanced attacks. It does limit some features, but makes the phone much more difficult to hack.
Security researchers said the DarkSword exploit demonstrates the value of smartphone data. Crypto wallets, messages and personal files can all be targets for attackers. Because of this keeping devices updated is one of the best to stay safe.
Google cautioned phones that are not patched are going to be easy targets. Updating software, staying away from unknown websites, and utilizing strong security settings can assist with shielding the user from future attacks.