Google’s Threat Intelligence Group has identified a six-vulnerability exploit chain called DarkSword that can fully compromise iPhones running iOS 18.4 through 18.7, prompting urgent calls for all users, including those storing crypto wallets on Apple devices, to update immediately.
The GTIG report published March 18, 2026 details how DarkSword chains six separate zero-day vulnerabilities to achieve complete device compromise. The attack requires only that a victim click a malicious link; no further interaction is needed.
What Google’s Researchers Found Inside iOS
DarkSword exploits six previously unknown flaws, including CVE-2025-31277 and CVE-2025-43529 (both JavaScriptCore memory corruption bugs) and CVE-2026-20700 (a PAC bypass in dyld). Together, the chain gives attackers full control over the target device.
Once a device is compromised, three distinct malware families are deployed: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. According to research conducted in coordination with Lookout, data extraction from compromised devices completes within seconds to minutes, leaving victims little time to detect the intrusion.
GTIG identified multiple threat actors using DarkSword, including commercial surveillance vendors and UNC6353, a suspected Russian espionage group. Targets have been identified in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain has been active since at least November 2025.
A separate but related exploit kit called Coruna targets older iOS versions (13 through 17.2.1) using 23 exploits across five chains. The simultaneous existence of two active iOS exploit kits covering nearly every recent iOS version underscores the scale of the threat.
Security firm iVerify identified a compromised Ukrainian government server used to deliver the exploit, while Saudi-targeted attacks mimicked Snapchat to lure victims through watering hole websites.
Why iPhone-Stored Crypto Wallets Face Direct Risk
Full device compromise of the kind DarkSword enables means an attacker can access app sandboxes, the iOS Keychain, clipboard contents, and local storage. For crypto holders, that translates to exposure of seed phrases stored in apps or notes, private keys held by mobile wallets like MetaMask Mobile, Trust Wallet, or Coinbase Wallet, and authentication tokens for exchange accounts.
Damon McCoy of NYU’s Center for Cyber Security told Time: “This is a pretty significant threat. There’s still probably quite a few people that are still running this outdated version of iOS, and those people are quite vulnerable.”
Hardware wallet companion apps such as Ledger Live and Trezor Suite run on the same compromised OS. While the private keys remain on the hardware device itself, transaction details displayed on a compromised phone could be manipulated, and session tokens for portfolio management features could be hijacked.
The clipboard is a particularly acute risk vector. Crypto users frequently copy-paste wallet addresses and seed phrases. An attacker with full device access can monitor and exfiltrate clipboard contents in real time. As institutional interest in crypto continues to grow, the number of mobile users managing significant holdings from their phones has risen sharply.
How to Update iOS and Harden Crypto Security Now
All six DarkSword vulnerabilities are patched in iOS 26.3, released in March 2026. To update: open Settings, tap General, then Software Update, and install the latest available version.
Apple also released extended security patches for iOS 15 and iOS 16 on March 11, 2026, providing partial protection for users on older devices that cannot run iOS 26. Devices still running iOS 13 or 14 must upgrade to at least iOS 15 to receive any patches at all.
For users who cannot update immediately, GTIG recommends enabling Lockdown Mode, which prevents DarkSword from functioning. The group stated: “We strongly urge users to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security.”
Google has also added known DarkSword delivery domains to Safe Browsing, which blocks malicious links in Chrome and other browsers that use the service.
Crypto-specific hardening steps include:
- Never store seed phrases in Notes, Photos, iCloud, or any app accessible from the device
- Use a hardware wallet for any holdings beyond day-to-day transaction amounts
- Enable Lockdown Mode on any iPhone used to access exchange accounts or wallet apps
- Review and revoke app permissions for clipboard access
- Enable withdrawal address whitelisting on exchanges where available
With the broader crypto market watching developments like new ETF filings and volatile altcoin price action, operational security often takes a back seat to market moves. DarkSword is a reminder that device-level vulnerabilities pose a direct financial risk to anyone managing digital assets from their phone.
Users running any iOS version between 13 and 18.7 should treat updating as the single highest-priority action they take today.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.