Google just disclosed a vulnerability that targets iPhone crypto wallets and could have affected an estimated 270 million Apple devices.
The DarkSword exploit, which strings together multiple zero-day vulnerabilities, is still live today and affects iPhones running iOS 18.4 through 18.7, updates that were released between April and September last year.
Up-to-date Apple devices use iOS 26.3.1. However, because many people don’t automatically upgrade, 24% of all iPhones still use iOS 18 according to Apple’s own data.
DarkSword allows hackers to orchestrate six vulnerabilities together to silently compromise devices, dump their Keychain databases, and vacuum up crypto wallet data.
Frequently targeted apps by DarkSword hackers include crypto wallets MetaMask, Phantom, and dozens of others by Coinbase, Ledger, and more. Visiting a poisoned website in Safari is all it takes to trigger the attack.
Google’s Threat Intelligence Group has observed Russian state-linked hackers, a Turkish surveillance vendor, and another threat cluster wielding DarkSword against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
Read more: Legacy DeFi platforms lose $27M as hacking spree continues into 2026
Zero-day access to iPhone crypto wallet files
DarkSword isn’t a keylogger or clipboard sniffer; it gains kernel-level access, then injects JavaScript into privileged iOS system processes to pillage the device.
The sinister toolkit hunts specifically for crypto wallet files, scanning for apps matching terms like “metamask,” “ledger,” “trezor,” “phantom,” “coinbase,” “binance,” and “kraken.” It grabs whatever wallet data it finds.
It can also pull the device’s Keychain database which is an Apple system-level storage service for passwords.
DarkSword can also access WiFi passwords, iCloud data, Safari cookies, iMessages, WhatsApp histories, call logs, location histories, photos, and encryption keys protecting stored credentials called keybags.
Read more: Venus Protocol hacker lost $4.7M after nine months of planning
All six vulnerabilities have now received patches if an iPhone user upgrades their operating system.
Apple addressed most in iOS 18.7.2 and 18.7.3. However, if their passwords, files, or crypto wallet data have already been stolen, all of those credentials and personal security implications would have to be re-secured.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/google-warns-over-200-million-iphone-crypto-wallets-at-risk/
