Google researchers have uncovered a sophisticated iOS exploit chain dubbed DarkSword, active against iPhones running iOS versions 18.4 through 18.7. The exploit enables deployment of Ghostblade, a JavaScript-based malware designed to harvest data from major crypto platforms.
Ghostblade targets top cryptocurrency exchanges including Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC. It also infiltrates wallet apps such as Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. The malware exfiltrates SMS, iMessages, call logs, contacts, Wi-Fi passwords, Safari data, location, health records, photos, and credentials from Telegram and WhatsApp.
Attacks leveraging DarkSword have been detected in Saudi Arabia, Turkey, Malaysia, and Ukraine. In some cases, government websites were compromised to host the exploit. One campaign used a fake Snapchat app lure; others exploited legitimate sites to deliver payloads.
Unlike persistent spyware, Ghostblade is built for rapid data theft-once it collects available information, it deletes temporary files and self-terminates. Multiple threat actors are using the toolset, ranging from commercial spyware vendors to state-backed groups.
This discovery follows recent surges in crypto-targeted malware, including Inferno Drainer, which stole $9 million from wallets last year, and counterfeit Android phones preloaded with stealing software.