Google warns of “DarkSword” iOS exploit targeting crypto wallets

Google Threat Intelligence has uncovered a new attack campaign dubbed “DarkSword,” leveraging a chain of six zero-day vulnerabilities to fully compromise iPhones running iOS 18.4–18.7.

According to the report, no app installation is required. Simply visiting a compromised website can allow attackers to take complete control of the device.

DarkSword specifically targets major crypto wallet and exchange apps, including Coinbase, Binance, Kraken, KuCoin, OKX, MEXC, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe, as well as hardware wallet providers like Ledger and Trezor.

The malware is capable of stealing private keys, passwords, and account data, then wiping its traces to evade detection.

The campaign has been linked to the Russian-backed cyber-espionage group UNC6353, in coordination with Turkish surveillance vendor PARS Defense. It has reportedly been active since November 2025, with victims identified in Ukraine, Saudi Arabia, Turkey, and Malaysia.

Ledger CTO Charles Guillemet warned that the exploit is “already deployed at scale.”

All six vulnerabilities have been patched in iOS 26.3.1. Users who have not updated their devices are considered at high risk.