Google researchers disclosed an in‑the‑wild iOS exploit chain named DarkSword that uses six vulnerabilities to compromise iPhones running iOS 18.4–18.7. Visiting a malicious or compromised website can trigger the chain and deploy Ghostblade, a JavaScript data stealer that specifically searches for and exfiltrates data from major crypto exchange apps (Coinbase, Binance, Kraken, KuCoin, OKX, MEXC) and wallet apps (Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, Gnosis Safe). Ghostblade also steals SMS/iMessage, call history, contacts, Wi‑Fi passwords, Safari cookies and browsing history, location, health data, photos, saved passwords, and Telegram/WhatsApp history. Multiple actors — including commercial spyware vendors and state‑backed groups — have used DarkSword in campaigns observed in Saudi Arabia, Turkey, Malaysia, and Ukraine; some attacks have compromised government websites. Ghostblade is designed for rapid data theft and self‑removal.

DarkSword actively exploits six iOS vulnerabilities (iOS 18.4–18.7) to deploy Ghostblade, which specifically targets major exchange and wallet apps and exfiltrates credentials and device data; multiple actors (commercial spyware and state‑backed groups) have used it in real campaigns — facts that make the story negatively relevant to user security and could affect trust in affected apps.