DarkSword: The Zero-Click iOS Exploit Chain That's Draining Crypto Wallets in Under 60 Seconds
On March 18, 2026, Google Threat Intelligence Group (GTIG), Lookout, and iVerify jointly disclosed DarkSword — a full-chain iOS exploit kit that chains six vulnerabilities (three zero-days) to achieve complete iPhone takeover without any user interaction. The kit specifically targets crypto wallets, seed phrases, and private keys, exfiltrating everything within seconds before wiping forensic traces.
If you hold crypto on an iPhone running iOS 18.4 through 18.7 and haven't updated, your funds may already be compromised.
The Kill Chain: Six Links, Zero Clicks
DarkSword is not a single vulnerability. It's an engineered attack pipeline that escalates from a poisoned webpage to full kernel control:
Stage 1 — Remote Code Execution (WebKit)
The victim visits a legitimate but compromised website via Safari. An invisible iFrame loads JavaScript that fingerprints the device. If the target runs iOS 18.4–18.7, the exploit fires.
Two JavaScriptCore memory corruption bugs provide the initial foothold:
- CVE-2025-31277 — JIT compilation flaw (patched in iOS 18.6)
- CVE-2025-43529 — Separate JIT vulnerability (zero-day, patched in iOS 18.7.3/26.2)
The attacker now has code execution inside Safari's sandboxed WebContent process.
Stage 2 — Sandbox Escape
Safari's process isolation should contain the damage. DarkSword breaks out through two hops:
- WebContent → GPU process — Exploiting ANGLE graphics library via CVE-2025-14174 (zero-day OOB write, patched in iOS 18.7.3/26.2)
- GPU → mediaplaybackd — Pivoting to a higher-privilege daemon
A PAC (Pointer Authentication Codes) bypass (CVE-2026-20700, zero-day, patched in iOS 26.3) defeats Apple's hardware-level code signing protection.
Stage 3 — Kernel Privilege Escalation
Two kernel vulnerabilities deliver arbitrary memory read/write:
- CVE-2025-43510 — Memory management flaw (patched in iOS 18.7.2/26.1)
- CVE-2025-43520 — Kernel memory corruption (patched in iOS 18.7.2/26.1)
At this point, the attacker has full device control — equivalent to a jailbreak, but silent and remote.
Stage 4 — Payload Deployment and Data Theft
Three malware families deploy depending on the operator:
| Payload | Purpose |
|---|---|
| GHOSTBLADE | Primary infostealer — credential harvesting |
| GHOSTKNIFE | Targeted data extraction — crypto wallets |
| GHOSTSABER | Persistent surveillance implant |
The crypto-focused payload (GHOSTKNIFE) specifically targets:
- Wallet seed phrases and private keys (MetaMask, Trust Wallet, Phantom, Coinbase Wallet, and dozens more)
- Keychain credentials for exchange apps (Binance, Coinbase, Kraken)
- Authenticator TOTP seeds (Google Authenticator, Authy)
- Clipboard history (catching copied addresses/seeds)
- Screenshots and screen recordings of wallet UIs
The entire extraction completes in under 60 seconds, then the exploit wipes its own traces.
Who's Using DarkSword?
The proliferation pattern is what makes DarkSword particularly alarming. Multiple unrelated threat actors acquired the same exploit kit:
UNC6748 — Deployed a Snapchat-themed lure site (snapshare[.]chat) targeting Saudi Arabian users starting November 2025. Their implementation had notable bugs — version detection logic didn't account for iOS 18.7 despite it being released months prior, suggesting they acquired the exploit code but didn't fully understand it.
PARS Defense — A Turkish commercial surveillance vendor incorporating DarkSword into their product offering for government clients.
UNC6353 — A suspected Russian espionage group previously linked to the Coruna iOS exploit kit. They pivoted to DarkSword for watering hole attacks against Ukrainian targets, injecting the exploit into compromised legitimate websites.
This mirrors the pattern seen with Coruna (disclosed just weeks earlier): a secondary market for iOS exploits where the same chain gets sold to multiple buyers — state actors, commercial spyware vendors, and financially motivated criminals alike.
Why Crypto Users Are Prime Targets
DarkSword isn't a generic surveillance tool that happens to steal crypto. The GHOSTKNIFE payload is purpose-built for cryptocurrency theft:
1. Mobile Wallets Are Single Points of Failure
A hot wallet on your phone stores the private key material directly on the device. DarkSword extracts it from the app's sandbox — the very isolation that's supposed to protect it becomes irrelevant when the attacker has kernel access.
2. Hardware Wallet Users Aren't Safe Either
If you use a Ledger or Trezor but manage it through a mobile companion app, DarkSword can:
- Capture your PIN as you enter it
- Screenshot transaction approval screens
- Intercept Bluetooth communication with the device
- Steal the app's cached xpub keys to track all your addresses
3. Exchange Accounts Get Drained Too
With access to your authenticator seeds AND email credentials AND session tokens, the attacker can:
- Log into your exchange account
- Disable or bypass 2FA (they have the TOTP seed)
- Initiate withdrawals to their own addresses
4. The "Hit-and-Run" Model
Unlike traditional spyware that maintains persistence for surveillance, DarkSword's crypto mode operates as a smash-and-grab. Extract everything valuable, exfiltrate it to C2 servers, clean up. By the time you notice, the funds are already gone — typically laundered through mixers or cross-chain bridges within hours.
The Uncomfortable Math: 220+ Million Vulnerable Devices
Apple shipped iOS 18.4 in April 2025. Every iPhone that received that update but hasn't been updated to iOS 26.3 or 18.7.6 is theoretically vulnerable. Security researchers estimate this encompasses over 220 million devices.
Now consider:
- Phantom has 15M+ mobile users
- MetaMask Mobile has 30M+ installs
- Trust Wallet has 60M+ users
- Coinbase Wallet has 10M+ active mobile users
The overlap between "iPhone users with crypto wallets" and "iPhone users who delay updates" is enormous.
Defensive Measures: What You Should Do Right Now
Immediate Actions (Do Today)
- Update iOS immediately — iOS 26.3 or iOS 18.7.6 patches all six CVEs
- Enable Lockdown Mode — Settings → Privacy & Security → Lockdown Mode. This disables JIT compilation in Safari, which blocks Stage 1 of DarkSword entirely
- Rotate all wallet seeds — If your device was running iOS 18.4–18.7 at any point since November 2025, assume compromise and generate new wallets on a clean device
- Revoke exchange API keys — Any API keys cached on the device should be considered leaked
- Reset authenticator apps — Re-enroll 2FA from a different device
Architectural Changes (Do This Week)
- Move significant holdings to hardware wallets — Manage them from a desktop, not a phone
- Use a dedicated device for crypto — An iPad with Lockdown Mode permanently enabled, or a separate phone that never browses the web
- Enable withdrawal whitelists on exchanges — Most major exchanges support address whitelisting with a 24-48h cooldown for new addresses
- Use a passkey or hardware security key for exchange 2FA — TOTP seeds can be stolen; FIDO2/WebAuthn keys cannot (the private key never leaves the hardware)
For DeFi Protocol Teams
- Implement client-side integrity checks — Detect if your dApp is running inside a compromised WebView
- Add transaction delays for large amounts — Give users (and monitoring systems) time to catch unauthorized transactions
- Monitor for unusual mobile access patterns — Bulk credential use from new IPs after a DarkSword campaign may indicate mass compromise
The Bigger Picture: Mobile Is the New Attack Surface
DarkSword and Coruna represent a paradigm shift. For years, crypto security focused on:
- Smart contract vulnerabilities
- Protocol-level exploits
- Social engineering (phishing, fake apps)
But the most devastating attacks of 2026 aren't finding bugs in Solidity or Rust. They're going after the device layer — the phone where you approve transactions, store seeds, and manage your entire crypto life.
The Step Finance hack ($40M) was operational security. The Resolv exploit ($25M) was a smart contract bug. But DarkSword-class attacks target every wallet user simultaneously. One compromised website, 220 million potential victims, automated extraction.
This is the supply chain attack of the mobile era. And unlike a smart contract bug, there's no on-chain trace until the funds move.
Key Takeaways
- DarkSword chains 6 vulnerabilities (3 zero-days) for zero-click iPhone compromise
- Purpose-built crypto theft payloads extract seeds, keys, and credentials in under 60 seconds
- Multiple threat actors (state, commercial, criminal) are using the same exploit kit
- 220+ million iPhones were vulnerable; many remain unpatched
- iOS Lockdown Mode blocks Stage 1 by disabling JIT compilation
- Assume compromise if you ran iOS 18.4–18.7 since November 2025 with crypto on device
The lesson is clear: your smart contract can be formally verified, your protocol can be audited by Trail of Bits, and your multisig can require 5-of-7 signers. None of it matters if the phone approving those transactions is silently owned.
Update your phone. Move your keys off mobile. Enable Lockdown Mode. Do it today.
References:
Top comments (0)