TLDR:
- DarkSword exploits six iOS vulnerabilities, including three zero-days, requiring no user clicks to execute.
- Around 270 million iPhones running iOS 18.4 to 18.7 remain exposed until users update to iOS 26.3.
- Three threat actors, including Russian group UNC6353, are linked to the DarkSword exploit campaign.
- Apple has patched all six vulnerabilities; updating immediately is the fastest way to stay protected.
DarkSword, a newly identified iPhone exploit, is placing millions of crypto users at serious risk. Google’s Threat Intelligence Group disclosed the threat in March 2026.
The exploit targets devices running iOS 18.4 through 18.7. Estimates put the number of vulnerable iPhones at around 270 million.
The attack works silently in the background with no clicks required. A single visit to a compromised website can lead to a full device takeover.
How DarkSword Works and What Data It Can Steal
DarkSword exploits a chain of six vulnerabilities, three of which are classified as zero-days. When a user visits a fake or compromised website, hidden code activates on the device.
The process happens in the background, with no visible warnings shown to the user. There is no need for the user to click anything for the attack to succeed.
Once inside the device, attackers can access crypto wallet data and seed phrases stored on the phone. Saved passwords are also exposed, along with private conversations across Telegram, WhatsApp, and iMessage.
On top of that, the malware can extract photos, location history, and record audio through the device microphone.
Crypto Patel shared on X that attackers are specifically hunting for crypto wallet apps and seed phrases. That statement separates DarkSword from a standard espionage operation. It is a targeted financial attack designed to drain the holdings of crypto users.
The threat is especially serious for those who store seed phrases digitally. Security professionals have long advised against saving such data on a mobile device.
DarkSword now provides a concrete reason for crypto holders to reconsider how they secure sensitive information. Moving seed phrase storage offline is a practical step that reduces risk considerably.
Who Is Behind DarkSword and How to Protect Your Device
Google’s investigation linked DarkSword to three separate threat actors. Among them are Russian espionage group UNC6353, Turkish surveillance vendor PARS Defense, and an additional cluster known as UNC6748.
The presence of multiple well-resourced groups behind a single exploit makes the campaign particularly concerning.
Reported targets include users in Ukraine, Saudi Arabia, Turkey, and Malaysia. Still, because the attack spreads through websites, any iPhone user could encounter it. Location alone does not determine who is at risk. Users everywhere should treat the threat as active.
Apple acted swiftly and patched all six vulnerabilities connected to DarkSword. The fix is available through an update to iOS 26.3.
Users who delay that update remain exposed to the full scope of the exploit chain. This is the second major iOS attack reported this month, making timely updates more important than ever.
Beyond the software update, Apple’s Lockdown Mode provides an added layer of defense. Hardware wallets are the safest option for anyone holding large crypto amounts.
Avoiding suspicious websites and refraining from storing seed phrases on any phone remain practical steps every crypto user should follow.
