Google researchers have identified an iOS exploit chain being used in the wild that can be used to deliver malware that specifically targets cryptocurrency apps on vulnerable iPhones.

The exploit, dubbed DarkSword, leverages six vulnerabilities to deploy malware on devices running iOS versions 18.4 through 18.7, according to the research.

Once a user visits a malicious or compromised website with a vulnerable device, the exploit is used to deploy malware, including a JavaScript-based data stealer called Ghostblade that actively seeks out major crypto exchange apps such as Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC.

Ghostblade also hunts for popular crypto wallet applications including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe, while simultaneously exfiltrating SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari cookies and browsing history, location data, health data, photos, saved passwords, and message history from Telegram and WhatsApp.

Multiple actors are deploying the exploit, ranging from commercial spyware vendors to state-backed groups, with campaigns observed in Saudi Arabia using a fake Snapchat lookalike, and in Ukraine through compromised websites including a government site.



Ghostblade is designed for quick data theft rather than long-term surveillance—it collects all available data, then deletes its temporary files and terminates itself.

This is the latest in a wave of malware targeting crypto users, including the Inferno Drainer malware that stole some $9 million from crypto users over a six-month period last year, and a campaign that saw counterfeit Android smartphones pre-loaded with crypto-stealing malware.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。