Google Exposes DarkSword Exploit Chain Targeting Crypto Wallets on iPhones

A Full-Chain Attack on Apple Devices

Researchers at Google's Threat Intelligence Group have uncovered a sophisticated full-chain exploit for iOS dubbed DarkSword. The exploit package chains together multiple vulnerabilities in Apple's operating system to achieve complete device compromise. Of particular concern to crypto holders is the Ghostblade component — a module designed specifically to harvest cryptocurrency application data and seed phrases.

«#CertiKInsight 🚨Google Threat Intelligence has exposed "DarkSword", a full-chain iOS exploit using 6 vulnerabilities to silently compromise iPhones. Your seed phrases and wallet credentials are a target.🧵 Here's what you need to know 👇» — CertiK Alert (@CertiKAlert), original post

According to the findings, DarkSword has been employed by multiple hacking groups as well as commercial spyware vendors. Infection occurs via malicious websites: simply visiting a compromised page triggers the exploit chain, granting attackers access to the victim's data without any user interaction or awareness.

Why This Matters

DarkSword represents a new class of threat. Sophisticated exploit chains incorporating zero-day vulnerabilities — tools once reserved for nation-state intelligence agencies — are now proliferating among a much broader range of threat actors. For cryptocurrency holders, this translates to a qualitative leap in risk: the attack is silent, requires no action beyond visiting an infected webpage, and specifically targets digital asset credentials.

The framework is not a monolithic piece of malware. Different groups have adapted and modified its components for their own objectives, making detection significantly more challenging.

How DarkSword Works

The exploit chain leverages multiple iOS vulnerabilities, including previously unknown zero-days, to bypass the operating system's built-in security mechanisms and escalate privileges. Once a device is compromised, attackers can:

• Access messages, credentials, and files stored on the device;
• Track the owner's location;
• Extract data from applications, including cryptocurrency wallets;
• Execute arbitrary code remotely.

Ghostblade — The Primary Threat to Crypto Assets

The most dangerous component within DarkSword is the Ghostblade module. Its core function is to establish persistence after the initial breach and maintain a communication channel with the attackers' command-and-control server. Ghostblade handles the filtering and collection of high-value information: crypto application account data, seed phrases, and login credentials.

The module actively evades iOS security tools and can download additional payloads, expanding the scope of the attack after the initial compromise.

Security Recommendations

CertiK's security team has published a set of protective measures for iPhone users who hold crypto assets:

• Update iOS to version 26.3, which patches the exploited vulnerabilities;
• Enable Lockdown Mode if the update is not immediately available;
• Audit active sessions and revoke any unrecognized logins;
• Use hardware wallets and never store seed phrases on a phone.

Who Used DarkSword

According to Google's report, the exploit package was deployed by both commercial spyware vendors and hacking groups with suspected government ties. Attacks were recorded across several regions, including Ukraine, Turkey, and Middle Eastern countries.

The researchers emphasized that DarkSword reflects a troubling trend: nation-state-grade cyber espionage tools are becoming accessible to an increasingly broad spectrum of threat actors, dramatically amplifying the risks faced by everyday users and cryptocurrency holders alike.