Ghostblade's Shopping Spree: Your iPhone's Crypto Apps Are on the Malware Menu

Google's cyber-sleuths have uncovered a nasty iOS exploit chain, nicknamed DarkSword, that's currently playing digital whack-a-mole with unpatched iPhones. This slick operation uses a six-vulnerability combo to slip malware onto devices running iOS versions 18.4 through 18.7, proving even Apple's walled garden has a few rotten gates.

The digital mugging begins when a user, blissfully scrolling on a vulnerable device, stumbles onto a malicious or compromised website. From there, it deploys a JavaScript-based data stealer called Ghostblade, which has a shopping list more targeted than a degen chasing the next memecoin airdrop.

Ghostblade isn't just browsing; it's actively hunting for the crypto VIP lounge on your phone. Its targets include major exchange apps like Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC, alongside popular wallet apps including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. Consider your seed phrase officially on notice.

While it's busy rifling through your crypto apps like a frantic treasure hunter, Ghostblade is also vacuuming up your entire digital existence: SMS, iMessages, call logs, contacts, Wi-Fi passwords, Safari history, location data, health info, photos, saved passwords, and even your Telegram and WhatsApp chats. It's the ultimate "give me your keys, your seed, and your DMs" demand.

This exploit is being wielded by a motley crew, ranging from commercial spyware vendors to state-backed groups with more resources than a well-funded DAO. Campaigns have been spotted in Saudi Arabia using a fake Snapchat clone and in Ukraine via compromised websites, including a government portal—because even officialdom isn't safe from this digital grift.

Ghostblade is built for a quick heist, not long-term surveillance. It's a classic smash-and-grab: it hoovers up all available data, meticulously deletes its temporary files, and then self-destructs to cover its tracks faster than a rug-pull developer deleting their Twitter account.

This episode is the latest entry in a booming genre of malware with a refined palate for crypto assets. It follows hits like the Inferno Drainer malware, which siphoned about $9 million from users last year, and a campaign involving counterfeit Android phones pre-loaded with crypto-stealing software—a hardware scam for the truly dedicated.

Google's Threat Intelligence Group notes this exploit chain has been active in the wild since at least November 2025. It involves a trio of malware families: Ghostblade, Ghostknife, and Ghostsaber. A group tracked as UNC6353, previously linked to Russian cyber-ops, has now integrated the DarkSword toolkit into its latest attack campaigns.

All the vulnerabilities involved were dutifully reported to Apple in late 2025 and were fully patched with the release of iOS 26.3. Google has since added the associated attack domains to its safe browsing blocklist. The advice is as simple as it is ignored: update your device. If you can't, activating Lockdown Mode is the next best defense. Outdated devices are becoming prime hunting grounds, especially for crypto thieves looking for low-hanging fruit.