Ghostblade Malware Harvests Crypto Wallet Credentials From Compromised iPhones in DarkSword Campaign

Security researchers have uncovered a sophisticated data-stealing operation targeting cryptocurrency users through compromised iPhones. The campaign, identified on March 19, 2026, leverages the DarkSword exploit chain to deploy a malware payload called Ghostblade that specifically hunts for wallet and exchange applications installed on infected devices, extracting credentials, private keys, and transaction histories before wiping its own traces.

The Exploit Mechanics

DarkSword chains six separate iOS vulnerabilities to achieve full remote code execution on target devices. Three of the exploited flaws reside in WebKit, the browser engine powering Safari and all web browsers on iOS and iPadOS. Two additional vulnerabilities affect the iOS kernel, while a sixth targets the Dynamic Link Editor (dyld) component of Apple operating systems. The exploit chain works against iPhones running iOS versions 18.4 through 18.7, and the attack vector is remarkably simple: visiting a malicious or compromised website with a vulnerable device triggers the entire infection process automatically. This drive-by approach means victims need not click suspicious links in emails or install rogue applications. A routine browsing session on a hijacked website is sufficient to compromise the device completely.

Once DarkSword gains initial access through Safari, it escapes the WebContent sandbox, leverages WebGPU to inject into the mediaplaybackd process, and from there crafts kernel-level read and write capabilities. This escalation allows the malware to modify sandbox restrictions and access restricted filesystem areas that normal applications cannot reach.

Affected Systems

The Ghostblade payload represents the most concerning aspect of this campaign for cryptocurrency holders. Upon successful exploitation, the malware systematically enumerates installed applications and specifically targets major cryptocurrency exchange platforms including Coinbase, Binance, Kraken, KuCoin, OKX, and MEXC. Hardware wallet companion apps for Ledger and Trezor are also targeted, alongside software wallets such as MetaMask, Exodus, Uniswap Wallet, Phantom, and Gnosis Safe.

For each identified application, Ghostblade extracts stored credentials, session tokens, encryption keys, and any locally cached transaction data. Beyond cryptocurrency-specific targets, the malware also collects SMS and iMessage messages, call history, contacts, Wi-Fi configuration and saved passwords, Safari cookies and browsing history, location data, notes, calendar entries, health data, photos, iCloud Drive files, SIM information, emails, and message histories from Telegram and WhatsApp.

The Mitigation Strategy

Apple has addressed all six DarkSword vulnerabilities across multiple iOS updates released between July 2025 and February 2026. CVE-2025-31277 was patched in iOS 18.6, while CVE-2025-43510 and CVE-2025-43520 received fixes in iOS 26.1 and 18.7.2 during November 2025. CVE-2025-43529 and CVE-2025-14174 were addressed in iOS 26.2 and 18.7.3 in December 2025 after reports of targeted in-the-wild exploitation. The most recent patch, CVE-2026-20700 affecting the dyld component, was fixed in iOS 26.3 during February 2026 following confirmed zero-day exploitation. Apple expanded these patches further with iOS 18.7.7 on April 1, 2026.

Cryptocurrency users running any iOS version below 18.7.7 remain potentially vulnerable. The recommendation is immediate: update to the latest available iOS version for your device. For high-value crypto holders, journalists, activists, or individuals with access to sensitive data, Apple Lockdown Mode provides an additional layer of protection that has proven effective against targeted surveillance campaigns.

Lessons Learned

The DarkSword campaign exposes several critical vulnerabilities in how cryptocurrency users approach mobile security. First, the assumption that iOS devices are inherently secure against sophisticated attacks has been repeatedly disproven. State-sponsored actors and commercial surveillance vendors maintain and deploy advanced exploit chains capable of fully compromising unpatched iPhones through routine web browsing. Second, the targeting of specific exchange and wallet applications indicates that cryptocurrency users are now a primary objective for both espionage and financial theft operations. The malware design suggests attackers understand the crypto ecosystem well enough to prioritize which applications yield the most valuable data.

Third, the self-deleting nature of Ghostblade means victims may never discover the compromise. The malware collects data, exfiltrates it to a remote server, deletes its temporary files, and terminates itself, leaving minimal forensic evidence on the device.

User Action Required

Every cryptocurrency user with an iPhone should take immediate steps to verify their device is running iOS 18.7.7 or later. Navigate to Settings, then General, then Software Update to check. Move high-value crypto assets to hardware wallets that are never connected to mobile devices. Enable two-factor authentication on all exchange accounts using a dedicated authenticator application rather than SMS-based verification. Consider using a separate, dedicated device for cryptocurrency operations that is not used for general web browsing or social media. Review recent exchange and wallet activity for any unauthorized transactions or login attempts from unfamiliar locations. With Bitcoin trading around $69,900 and Ethereum at $2,137 on the date of this discovery, the financial incentive for attackers targeting crypto holders has never been greater.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for personalized security recommendations.