Google experts have identified a complex exploit chain for iOS called DarkSword. Its Ghostblade tool is designed to steal sensitive information, including cryptocurrency wallet data.

#CertiKInsight 🚨

Google Threat Intelligence has exposed "DarkSword", a full-chain iOS exploit using 6 vulnerabilities to silently compromise iPhones.

Your seed phrases and wallet credentials are a target.

🧵 Here's what you need to know 👇

— CertiK Alert (@CertiKAlert) March 20, 2026

What Happened

Experts from Google’s Threat Intelligence Group discovered a so-called full-chain exploit that combines multiple vulnerabilities in iOS, allowing complete compromise of Apple devices. This software package has been utilized by several hacker groups and commercial spyware vendors.

Attacks were conducted through malicious websites: visiting these sites triggered a chain of exploits that provided access to user data without their knowledge.

Timeline of DarkSword's evolution and iOS vulnerability fixes. Source: Google Threat Intelligence Group.

How the Attack Works

DarkSword exploits several vulnerabilities, including zero-day flaws, to bypass iOS security mechanisms and gain elevated privileges within the system.

Once compromised, attackers can:

  • access messages, credentials, and files;
  • track location;
  • extract data from applications, including cryptocurrency wallets;
  • execute remote code on the device.

The framework itself is not a single piece of malware; different groups have used their own modifications, tailoring the tools for specific targets.

Threat to Users' Crypto Assets

One of the key components of the package is Ghostblade. Its primary function is to establish persistence within the system after infiltration and ensure complete control over the device.

This tool connects to the attackers' server and implements filtering and data collection, including information from cryptocurrency application accounts and seed phrases.

Ghostblade takes measures to evade detection by security tools and can also download and execute additional modules, expanding the attack's functionality.

Experts from CertiK strongly recommend iOS users take the following steps to protect their assets:

  • update the OS to version 26.3;
  • enable lockdown mode if the upgrade fails;
  • check account login entries and remove any unknown ones;
  • use hardware wallets and never store seed phrases on the phone.

Who is Behind the Attacks

According to researchers, DarkSword has been employed by both commercial spyware vendors and hacker groups allegedly linked to governments.

Attacks have been recorded in several countries, including Ukraine, Turkey, and various Middle Eastern nations.

Experts noted that the emergence of DarkSword reflects a new trend: sophisticated hacking tools, once available only to state actors, are now spreading among a broader range of players.

In March, the Ledger security team (Donjon) discovered a critical vulnerability in Android smartphones with MediaTek processors. This bug allows keys to cryptocurrency wallets to be stolen within minutes.