Cybersecurity Experts Find Malicious Software Targeting Millions of iPhones

Security researchers have identified dangerous malware called "Darksword" that can infiltrate iPhones and steal personal data including cryptocurrency information. The spyware was found on Ukrainian websites and could potentially affect up to 270 million devices running older iOS versions.

Cybersecurity experts announced Wednesday they have identified malicious software that can break into Apple iPhones and extract sensitive information, potentially affecting hundreds of millions of devices worldwide.

The malware, which researchers have named “Darksword,” was found embedded on multiple Ukrainian websites in recent weeks. This represents the second major iPhone spyware discovery this month, indicating a growing market for sophisticated hacking tools designed to steal personal data and digital currency wallet information.

Three cybersecurity organizations – Lookout, iVerify, and Google – worked together to analyze the threat. Earlier this month on March 3, the same teams identified another iPhone spyware called “Coruna,” and investigators found both malicious programs operating from identical server infrastructure.

“There’s now a verified pipeline of recent exploits … that have ended up in the hands of potentially criminal entities with a financial focus,” stated Justin Albrecht, who serves as principal researcher at Lookout.

The malicious software specifically targets iPhones operating iOS versions 18.4 through 18.6.2, which Apple distributed between March and August of this year. Users became infected when they visited compromised Ukrainian websites.

While the exact number of vulnerable devices remains unknown, security experts estimate that between 220 million and 270 million iPhones could be at risk. Although Apple has issued security patches to address the underlying vulnerabilities, many users have not updated their devices to the latest software versions.

Apple has not provided a response to requests for comment regarding the discovery.

The identification of two separate powerful iPhone exploits within the same month suggests criminals now have access to hacking tools that were once exclusively available to government intelligence agencies, according to Rocky Cole, who co-founded and serves as chief operating officer of iVerify.

Security researchers were able to detect these threats because the attackers made careless operational mistakes that are uncommon in government-sponsored iPhone hacking operations.

“The fact that they don’t care if it gets burned, and that they’re using them in mass attacks with poor (operational security), that says a lot about how much they value these tools,” Cole explained. “They’re not overly precious about them being exposed.”

Investigators determined that Darksword was hosted on the same internet servers used by suspected Russian operators behind the Coruna spyware campaign.