Russia doesn’t need to hack your exchange.

It was already inside your iPhone.

A new iOS exploit called DarkSword happened this week. Google’s Threat Intelligence Group, Lookout, and iVerify published coordinated findings on Wednesday this week. They’ve been tracking it since November 2025. Multiple actors have been running it for months, these are state-sponsored groups, commercial surveillance vendors, and their paying customers.

The target list is very long. Passwords, iMessage’s, WhatsApp, Telegram, Browser history, iCloud data, Apple Health, Location, Contacts, Call logs and cryptocurrency wallets.

That’s not a side effect. That’s the objective.

You didn't click anything. You didn't download anything. You just visited the wrong page.

How It Gets In

DarkSword chains six vulnerabilities in iOS — three of them zero-days at the time of deployment — to fully compromise your device. The entry point is Safari. The attack begins the moment your browser loads a page with a malicious iframe injected into its HTML. You don’t click a suspicious link. You don’t download an app. You visit a website that was already trusted — a news outlet, a government portal, a Snapchat login page — and the chain starts running in the background without touching your screen.

Here’s the sequence in plain language. The iframe loads a JavaScript file called rce_loader.js. That file fingerprints your device — iPhone model, iOS version — and routes you to the correct exploit for your specific hardware. Then it exploits a memory corruption flaw in JavaScriptCore, the engine Safari uses to run web code, to achieve remote code execution. From there it bypasses Apple’s Pointer Authentication Codes, which are supposed to prevent exactly this kind of memory manipulation. Then it escapes Safari’s sandbox entirely through the GPU process. Then it moves into the iOS kernel. Then it’s done. Full read and write access. Every app on your device is now accessible.

The final payload is an orchestrator called pe_main.js. It injects modules into privileged iOS system processes — the ones that handle Wi-Fi, security certificates, and Keychain access — and activates dedicated data-theft modules for each category. When it’s finished exfiltrating everything to a remote server over an encrypted custom protocol, it wipes itself clean.

No trace. No alert. Nothing in your storage.

You won’t know it happened.

The entire operation takes seconds to minutes. Lookout describes it as a deliberate hit-and-run. Get in, drain everything, disappear. The dwell time is kept intentionally short to make detection as difficult as possible. Most victims will never know they were compromised.

You didn’t click anything. You didn’t download anything. You just visited the wrong page.

What It’s Actually Going After

This is where it gets specific. DarkSword’s primary payload — a JavaScript-based infostealer called GHOSTBLADE — doesn’t just scan broadly for financial data. It has a named target list hardcoded into its modules.

On the exchange side: Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC.

On the wallet side: Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe.

If any of those apps are installed on your device, DarkSword scans them specifically. It isn’t stumbling across crypto data by accident. It’s looking for it by name.

Beyond the crypto targeting, GHOSTBLADE harvests SMS and iMessage content, call history, contacts, Wi-Fi passwords, Safari cookies, browsing history, location data, health records, photos, saved passwords, and full message histories from Telegram and WhatsApp. Two other payloads — GHOSTKNIFE and GHOSTSABER — handle additional backdoor capabilities including device enumeration, file listing, account profiling, and remote JavaScript execution. Samples of GHOSTSABER even contain references to commands designed to record audio from the microphone and transmit live geolocation — though those modules weren’t fully activated in the observed deployments.

The full picture: once DarkSword lands on your device, it knows exactly what it’s looking for and where to find it. This was engineered with crypto users in mind.

Who’s Behind It

The primary actor is UNC6353 — a suspected Russian espionage group also linked to Coruna, the iOS exploit kit disclosed earlier this month. Lookout’s assessment: well-funded, technically capable, operating with goals that include both state intelligence collection and direct financial theft. They deployed DarkSword by injecting malicious iframes into real Ukrainian websites — a legitimate independent news outlet called News of Donbas and the official website of the Seventh Administrative Court of Appeals in Vinnytsia. That campaign has been running through March 2026. It isn’t historical. It’s happening now.

Real domains. Existing traffic. No fake sites needed.

UNC6353 isn’t the only one using it. Google identified a Saudi Arabia campaign in November 2025 run through a fake Snapchat site called snapshare[.]chat. Turkish commercial surveillance vendor PARS Defense used DarkSword against targets in Turkey. A separate PARS Defense customer ran the same kit against users in Malaysia in January. Four distinct actors. Four separate campaigns. One exploit kit.

This is the second iOS mass-exploitation kit disclosed in a single month. The first was Coruna — also linked to UNC6353, also built with cryptocurrency theft as a core function. Worth noting: Coruna’s earlier iteration did not target crypto wallets. DarkSword does. That’s not an incremental upgrade. It’s a deliberate expansion of the objective.

And here’s the detail that should sit uncomfortably with anyone who still believes Western institutions aren’t part of this equation: CyberScoop reports this is the second instance of suspected Russian actors repurposing iOS exploits believed to have originally been developed on behalf of the U.S. government. Help Net Security notes the group may be connected to exploit brokers like Operation Zero — firms that legally buy and sell zero-day vulnerabilities on a commercial market.

The tools move. The origin doesn’t stay clean.

What was once exclusively the domain of intelligence agencies — the ability to silently compromise a fully updated iPhone through a website visit — is now a capability that commercial vendors are licensing to clients. PARS Defense isn’t a government. It’s a surveillance vendor with a customer list. The barrier to owning this capability is no longer clearance level. It’s budget.

Four actors. Four campaigns. Still running as of this week.

AI Is Accelerating This

Here’s the detail that should stop you cold: Lookout found that DarkSword shows signs of LLM-assisted development. The codebase is professionally structured, extensively commented, and built for long-term maintainability and rapid module expansion. The server-side component includes detailed explanatory notes characteristic of AI-generated code. One researcher noted this effectively lowers the barrier to entry for deploying advanced mobile exploits — even among less technically sophisticated state-sponsored actors.

That last part matters. The OPSEC on DarkSword is notably poor. The server-side component was literally labeled “Dark sword file receiver.” The HTML for the iframes wasn’t obfuscated. For a suspected Russian intelligence-aligned operation, that’s sloppy. The likely explanation: the actors who obtained this kit didn’t build it and don’t fully understand it. They’re operating a tool they purchased or were given access to. The AI-assisted codebase made it accessible to them regardless.

State actors and their proxies are using AI to build scalable, modular crypto-theft infrastructure that less sophisticated operators can deploy with minimal technical knowledge. That is not speculation. That’s in the published research from three independent security firms.

CISA has already added one of DarkSword’s core vulnerabilities — CVE-2026-20700 — to its Known Exploited Vulnerabilities catalog. That’s the U.S. government formally acknowledging active exploitation in the wild. Coruna and DarkSword — two separate, fully-functional exploit chains — both disclosed in the same month. Both targeting iOS. Both with cryptocurrency wallet access as an explicit module. Both showing codebase patterns consistent with AI-assisted development.

The development cycle on these tools is compressing. The distribution model is widening. The technical barrier to operating them is dropping.

Up to 270 million iPhones were running vulnerable iOS versions when this dropped — and iVerify’s broader estimate puts the figure as high as 296 million if all iOS 18 versions are counted. Around 15% of the entire iOS user base. Every one of those devices is still exposed.

Think about how many of those wallets are loaded right now.

Think about how many of those users believe they’re practicing self-custody.

270 million iPhones were exposed when this dropped. Most still are.

The Part Nobody Wants to Say Out Loud

This is the part nobody in the mobile wallet space wants to discuss directly. The self-custody argument — the foundational crypto argument that your keys, your coins is a meaningful form of financial sovereignty — assumes the device holding those keys isn’t already compromised. It assumes your phone is a neutral container. It isn’t. It never has been. DarkSword is just the cleanest illustration of that reality that’s been made public.

The argument breaks down at the hardware layer. Your iPhone is a device built by a trillion-dollar corporation, running a closed operating system, dependent on a browser engine that has now been exploited twice in the same month by state actors specifically targeting crypto. The cryptographic keys on that device are only as secure as every line of code sitting between them and the open web. And that code has six fresh CVEs on it as of this week.

I’ve written before about how Bitcoin’s origins connect to intelligence community infrastructure. The fingerprints don’t disappear at the wallet layer. The same apparatus building the financial surveillance framework I broke down in the GENIUS Act piece — stablecoins as legally mandated surveillance instruments — is now confirmed to be operating exploit kits that specifically target the asset class that was supposed to exist outside their reach.

Stablecoins are frozen on command. Mobile wallets are drained on visit.

Crypto was supposed to be the exit ramp. They’ve been building the on-ramp back in from day one.

What You Should Do Right Now

The operational answer is not complicated. Apple has patched the underlying vulnerabilities — update to iOS 18.7.6 or iOS 26.3.1 immediately. Apple also quietly pushed backported patches for iOS 15 and 16 this month, extending protection to older devices that wouldn’t otherwise qualify for the latest release.

If you believe you may already be a target — journalists, activists, anyone holding significant crypto on their phone — enable Lockdown Mode. It’s a meaningful additional layer. iVerify is also offering their Basic app for free until May specifically so users can check their devices for active DarkSword infections.

But the patch only closes DarkSword’s specific entry points. Not the next kit. Not Coruna. Not whatever gets disclosed next month. The structural vulnerability isn’t a CVE number. It’s the assumption that a connected device with kernel-level exposure to the open web is a safe place to store cryptographic keys.

It goes with out saying, move anything meaningful off mobile wallets. If you’re using the Ledger or Trezor app on your phone to manage your hardware wallet, the hardware device itself is safe, but the app on your phone is not. Your crypto exchange login credentials for Coinbase, Binance, Kraken, or any of the other named targets should be treated as potentially exposed if you’ve been running a vulnerable iOS version since November 2025. Change your passwords. Enable hardware-key 2FA where available. Review recent account activity.

Restarting your phone regularly may clear fileless exploits like DarkSword from memory — though anything already exfiltrated is gone unfortunately. And stop treating Apple’s security marketing as a threat model.

Your phone was never a vault. DarkSword just made that impossible to ignore.

Every single crypto app on your phone is a target. It has been for months. You’re just finding out now.

Act accordingly.

If this was useful, share it with someone who still thinks their phone is a vault.

Subscribe to Strident Citizen for investigative crypto coverage that reads the research so you don’t have to.

What’s your current setup — hot wallet on mobile, hardware wallet, or something else? Drop it in the comments.