Google disclosed a six-vulnerability iOS exploit chain called DarkSword on March 20, 2026 that delivers malware specifically designed to extract data from 13 crypto exchange and wallet applications. The malware, dubbed Ghostblade, targets apps including Coinbase, Binance, Kraken, MetaMask, and Ledger, then deletes itself after exfiltration.
iPhones running iOS 18.4 through 18.7 are vulnerable. Apple patched all six flaws with iOS 26.3.
Six Flaws, Three Zero-Days, One Kill Chain
DarkSword chains six vulnerabilities together to move from a compromised website to full device control:
Three zero-days (previously unknown):
- CVE-2026-20700: a PAC bypass in dyld, patched in iOS 26.3
- CVE-2025-43529: JavaScriptCore memory corruption, patched in iOS 18.7.3 and 26.2
- CVE-2025-14174: ANGLE memory corruption, patched in iOS 18.7.3 and 26.2
Three known vulnerabilities:
- CVE-2025-31277: JavaScriptCore flaw, patched in iOS 18.6
- CVE-2025-43510: kernel memory management, patched in iOS 18.7.2 and 26.1
- CVE-2025-43520: kernel memory corruption, patched in iOS 18.7.2 and 26.1
The attack starts when a victim visits a compromised or malicious website. A hidden iFrame fingerprints the Safari browser. If the device is running a vulnerable iOS version, DarkSword fires a JavaScriptCore JIT exploit for initial code execution, escapes the WebContent sandbox through GPU process exploitation via WebGPU, injects into the mediaplaybackd daemon, then escalates to kernel-level access through CVE-2025-43520 for arbitrary read/write. The entire chain runs without user interaction beyond visiting the page.
Ghostblade Goes Straight for Crypto
Once DarkSword grants kernel access, the final payload is Ghostblade, a JavaScript-based data stealer with a specific appetite for crypto applications.
Exchange apps targeted: Coinbase, Binance, Kraken, KuCoin, OKX, MEXC
Wallet apps targeted: Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, Gnosis Safe
Beyond crypto-specific data, Ghostblade hoovers up nearly everything on the device: emails, iCloud Drive files, contacts, SMS and iMessage content, Safari browsing history and cookies, saved passwords, photos, call history, Wi-Fi credentials, location history, calendar data, Health app information, installed app lists, Apple Notes, and message histories from Telegram and WhatsApp.
The operational pattern is hit-and-run. Ghostblade collects all available data, injects into Springboard to exfiltrate via HTTPS, then deletes its temporary files and terminates itself. There is no persistent implant. The malware gets in, takes everything, and vanishes.
Three Threat Actors, Four Countries
Google identified at least three separate groups deploying DarkSword since November 2025:
UNC6353, a suspected Russian state-sponsored group, ran watering hole attacks on Ukrainian government websites starting in November 2025 and continued through December, targeting users on iOS 18.4 through 18.6.
UNC6748 targeted Saudi Arabian users in November 2025 using a fake Snapchat lookalike domain (snapshare[.]chat).
PARS Defense, a Turkish commercial surveillance vendor, deployed the exploit chain against targets in Turkey in November 2025.
Campaigns were also observed in Malaysia. Google estimates hundreds of millions of unpatched devices running iOS 13 through 18.6.2 remain potentially vulnerable across the combined exploit kits, though the crypto-targeting Ghostblade payload is specific to the DarkSword chain on iOS 18.4 through 18.7.
What Crypto Users Should Do Right Now
The fix is straightforward: update. Apple patched the three zero-days in iOS 26.3. The three previously known flaws were patched across iOS 18.6, 18.7.2, and 26.1. Any iPhone running iOS 26.3 or later is not vulnerable to DarkSword.
For users who manage crypto through mobile apps, this is a reminder that the phone itself is an attack surface. Hardware wallets like Ledger and Trezor are targeted by the data extraction, but the physical signing mechanism remains intact. Ghostblade can steal app data and saved passwords, but it cannot extract private keys from a hardware device's secure element. If your exchange or wallet credentials were compromised before you updated, rotating passwords and revoking API keys is the immediate step.
DarkSword is the second major iOS exploit kit Google has disclosed in recent months (after Coruna, which targeted older iOS 13-17 versions). Both were adopted by multiple threat actors, from state intelligence services to commercial spyware vendors. The self-custody model does not protect against device-level compromise if the signing interface is on the compromised phone itself.
Overview
Google disclosed DarkSword, a six-vulnerability iOS exploit chain that delivers Ghostblade malware specifically targeting 13 crypto exchange and wallet apps including Coinbase, Binance, Kraken, MetaMask, Ledger, and Phantom. The chain uses three zero-days and three known flaws to move from a malicious website visit to full device compromise without user interaction. At least three threat actors (a Russian state group, a Saudi-targeting operation, and a Turkish surveillance vendor) deployed DarkSword across Ukraine, Saudi Arabia, Turkey, and Malaysia since November 2025. Ghostblade operates as a hit-and-run data stealer, extracting everything from saved passwords to Telegram messages before self-destructing. Apple patched all flaws in iOS 26.3. Users on iOS 18.4 through 18.7 should update immediately and rotate credentials for any crypto accounts accessed from affected devices.
