SlowMist confirms DarkSword is conducting active attacks in the wild; Apple iOS 15+ users need to upgrade

SlowMist co-founder Yu Xuan (余弦) confirmed on X on May 15 that the high-risk iOS attack framework DarkSword has publicly leaked via channels including GitHub, and is being used for large-scale theft attacks targeting holders of Crypto wallets. The attack targets Apple devices running iOS 18.4 through 18.7. Apple confirmed that users on iOS 13 or iOS 14 must upgrade to iOS 15 to be protected.

DarkSword attack mechanism: attack scenarios confirmed by Yu Xuan

According to Yu Xuan’s confirmation in an X post, the DarkSword attack scenarios are as follows:

Attack prerequisites (no need to close the malicious page): The victim’s Safari browser visits malicious web pages of the following types and keeps the page open:

· Fake adult live-streaming web pages

· TRON (波場) energy station web pages

· Refund process disguise web pages

· Vulnerability alert disguise web pages

Attack trigger: While the malicious page is open in Safari, if the victim unlocks the Crypto wallet app, the malicious JavaScript code can steal the wallet’s plaintext private key and seed phrase, and immediately sends them back to the attacker.

Yu Xuan confirmed: “I’ve obtained some in-the-wild attack samples,” and said that SlowMist “will decide whether to disclose more technical details depending on the situation.”

Which users are already protected, and who needs to take immediate action

Per Apple’s official support documentation confirmed:

Already protected (no additional action needed): Devices with iOS 15 through iOS 26 that have installed the latest updates

Need to take immediate action:

· Devices running iOS 18.4 through 18.7 that have not yet installed the latest security patches: install the updates immediately via “Settings” > “General” > “Software Update”

· Devices running iOS 13 or iOS 14: must upgrade to iOS 15 to receive protection

Additional security measures (Apple’s official confirmation):

· The Safari “Safe Browsing” feature (enabled by default) can block identified malicious URL domains

· For high-risk users or users who cannot update their devices, Apple recommends enabling “Lockdown Mode”

Apple explicitly stated in its support documentation: “If you have updated your iPhone software to the latest version, then your device is already protected.”

Frequently asked questions

Does the DarkSword attack require users to actively click any specific action for it to trigger?

Based on Yu Xuan’s confirmation, victims only need to use the Safari browser to visit a malicious web page and keep the page open; then, without closing the page, when they unlock the Crypto wallet app, the private key could be stolen. No specific clicking action by the user is required.

How can iOS 13 or iOS 14 users get protected?

According to Apple’s official support documentation, iOS 13 or iOS 14 users must upgrade to iOS 15 (or higher) to get protection against DarkSword. Apple has released security updates for iOS 15 and iOS 16, providing additional protection for older devices that cannot be updated to the latest version.

If I can’t update my device, what alternative protection measures are available?

According to Apple’s official recommendation, for users who cannot update their devices, Apple suggests enabling “Lockdown Mode” to prevent malicious web content and other threats. In addition, confirm that Safari’s “Safe Browsing” feature (enabled by default) is turned on, which can block some identified malicious domains.