DarkSword iOS Vulnerability Chain Targets Encrypted Apps and Private Data

A newly disclosed iOS exploit chain called DarkSword is targeting encrypted applications and private data on millions of Apple devices, with crypto wallet and exchange apps among its primary targets. Discovered by Google’s Threat Intelligence Group (GTIG) and confirmed by security firms Lookout and iVerify, the vulnerability chain affects unpatched iOS versions 18.4 through 18.7 and has been active since at least November 2025.

Six Chained Vulnerabilities, Three Zero-Days

DarkSword is not a single flaw. It chains six separate vulnerabilities, three of which were zero-days at the time of discovery: CVE-2025-31277, CVE-2025-43529, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520, and CVE-2026-20700. Together, these exploits allow full device compromise in a sequence that escalates from initial browser access to deep system-level control.

A vulnerability “chain” differs from a single exploit in that each link handles a different layer of iOS security. One CVE may break out of the Safari sandbox, another escalates kernel privileges, and another disables code-signing checks. Chaining them produces a full compromise that no single vulnerability could achieve alone.

The attack begins when a user visits a compromised legitimate website using Safari. A malicious iFrame delivers the JavaScript-based exploit, requiring no interaction beyond loading the page. This “watering hole” approach makes DarkSword particularly dangerous, as victims have no way to distinguish a compromised site from a safe one.

Once a device is compromised, three distinct malware families are deployed: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. According to GTIG’s published research, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in distinct campaigns since November 2025.

At least three threat actors have been identified. UNC6748 operates from Saudi Arabia, UNC6353 is a suspected Russian espionage group that incorporated DarkSword into watering hole campaigns targeting Ukraine, and PARS Defense is a Turkish commercial surveillance vendor. Confirmed targets span Saudi Arabia, Turkey, Malaysia, and Ukraine.

Why Crypto Wallets and Exchange Apps Face Direct Risk

What sets DarkSword apart from generic iOS exploits is its explicit targeting of cryptocurrency applications. The exploit specifically goes after six major exchange apps: Coinbase, Binance, Kraken, KuCoin, OKX, and MEXC. Seven wallet apps are also targeted: Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe.

Mobile crypto wallets rely on iOS data protection APIs and the Secure Enclave to isolate private keys, seed phrases, and authentication tokens within encrypted app sandboxes. A successful chain exploit bypasses these protections entirely, allowing attackers to extract data that is normally inaccessible even to other apps on the same device.

The risk compounds for users who store 2FA apps, password managers, or exchange API keys on the same device. DarkSword also harvests email, iCloud files, SMS and iMessage content, Wi-Fi passwords, Safari cookies, Telegram and WhatsApp chat logs, and geolocation data. The disclosure comes amid a period of heightened regulatory activity around crypto security standards, adding urgency to the mobile threat landscape.

Lookout Security described DarkSword’s operational method as a “hit-and-run” approach, collecting and exfiltrating targeted data within seconds or at most minutes, followed by cleanup. This means affected users may never realize their device was compromised.

An estimated 221 to 270 million devices are running affected iOS versions. Older iPhone models that cannot upgrade beyond iOS 18.x are permanently stuck on vulnerable software unless Apple backports specific patches. No confirmed dollar-value losses from crypto wallet targeting have been published, but the harvesting of private keys and exchange credentials poses clear theft risk.

What Crypto Holders Should Do Right Now

Apple has patched all six CVEs. Users should update immediately to iOS 26.3.1 or iOS 18.7.6, depending on device compatibility. Checking your current version takes seconds: go to Settings, then General, then Software Update.

If your device no longer receives iOS updates, move significant crypto holdings to a hardware wallet that is not connected to the compromised device. With DApp revenue declining across major chains and broader market uncertainty, securing existing holdings takes priority over active trading on vulnerable devices.

Avoid storing seed phrases, private keys, or recovery codes in note apps, screenshots, or iCloud storage on any mobile device. These are among the data categories DarkSword specifically targets.

For high-risk users, Apple’s Lockdown Mode (available on iOS 16 and later) restricts certain app capabilities and hardens the attack surface. While it limits some functionality, it blocks several of the vectors DarkSword exploits, including malicious web content delivery.

Google has added DarkSword delivery domains to Safe Browsing, which provides a layer of protection for Chrome and Safari users. However, this only covers known domains, and new delivery infrastructure could emerge. Users tracking Bitcoin ETF flows and broader market signals should be equally attentive to the security of the devices they trade from.

GTIG noted that “the use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation.” Coruna, a related but separate exploit kit, targets even older iOS versions from 13.0 through 17.2.1, broadening the total population of vulnerable devices.

With the Fear and Greed Index at 11, reflecting extreme fear across crypto markets, the timing of this disclosure adds another pressure point for holders already navigating volatile conditions. Securing mobile devices is now as critical as securing wallets themselves.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.