Russian Hackers Use Zero-Click iPhone Exploit to Steal Data From Hundreds of Millions of Devices
Amsterdam, Wednesday, 18 March 2026.
Russian cybercriminals have deployed a sophisticated hacking tool called DarkSword that can compromise iPhones simply by visiting infected websites. The exploit targets devices running iOS 18, affecting approximately 270 million users worldwide who haven’t updated their software. DarkSword steals sensitive data including passwords, cryptocurrency wallets, photos, and messaging app content within minutes of infection. The attack has been active since November 2025, targeting users in Ukraine, Saudi Arabia, Turkey, and Malaysia through compromised websites and fake platforms.
Technical Sophistication Behind DarkSword
The DarkSword exploit represents a significant advancement in mobile cybercrime technology, utilizing six distinct vulnerabilities to achieve complete device compromise [1]. The attack begins when users visit infected websites through Safari, where the exploit leverages flaws in JavaScriptCore, dyld, ANGLE, and the iOS kernel to bypass Apple’s security measures [2]. Once initiated, the malware executes a sophisticated multi-stage process that gains kernel-level access within seconds, allowing attackers to inject JavaScript engines into privileged iOS services including App Access, Wi-Fi, Springboard, Keychain, and iCloud [3]. This technical sophistication enables the rapid deployment of data-stealing modules, with Google’s Threat Intelligence Group noting that the exploit includes ‘sandbox escape, privilege escalation, and in-memory implants’ that can exfiltrate sensitive information before cleaning up traces of the attack [3].
Global Impact and Target Demographics
The scale of potential impact from DarkSword is staggering, with iVerify estimating that up to 270 million iPhone users could be susceptible to the exploit [4]. This vulnerability stems from the fact that approximately 24% of iOS devices still operate on iOS 18 versions as of March 2026 [5]. The geographic distribution of attacks reveals a strategic targeting pattern, with confirmed compromises in Ukraine, Saudi Arabia, Turkey, and Malaysia since the tool’s deployment in November 2025 [1][6]. Rocky Cole, iVerify’s cofounder and CEO, emphasized the unprecedented scope of the threat, stating that ‘a vast number of iOS users could have all of their personal data stolen simply for visiting a popular website’ and that ‘hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable’ [1].
Financial Motivations and State-Sponsored Connections
Analysis of DarkSword’s deployment reveals a dual-purpose operation combining state-sponsored espionage with financial cybercrime activities. Google attributes the DarkSword campaigns to UNC6353, a Russian-backed espionage group, along with UNC6748 and PARS Defense, a Turkish commercial surveillance vendor [4]. Justin Albrecht, Lookout’s global director for mobile threat intelligence, highlighted the financial component of these attacks, noting that ‘they’re probably well-funded, probably well-connected, but it’s confirmed that they’re stealing crypto’ [4]. The exploit specifically targets cryptocurrency wallet applications, with the malware designed to identify and extract wallet files along with WiFi passwords and other sensitive credentials [6]. This represents a potential shift in tactics for Russian Advanced Persistent Threat groups, as Albrecht observed: ‘Why not start to fund their operations with stolen funds? It wouldn’t be outside the norm, although it would be a potential shift in their TTPs for Russian APTs in general’ [4].
Industry Response and Protective Measures
Apple responded swiftly to the discovery of DarkSword vulnerabilities, releasing emergency security updates on March 10, 2026, for older devices [1]. All vulnerabilities exploited by DarkSword have been patched in iOS 26.3 and iOS 18.7.3 and higher versions [6]. The tech giant’s security notes for iOS 26.3 specifically indicate that the dyld vulnerability may have been used in targeted attacks, underscoring the active threat these exploits posed [2]. Security researchers recommend multiple protective strategies beyond updating iOS, including enabling Lockdown Mode, which renders DarkSword ineffective [6]. Regular device restarts can also disrupt spyware that relies on memory persistence, while users should exercise heightened caution when visiting unfamiliar websites [2]. iVerify and Lookout claim their security applications can detect DarkSword infections, providing an additional layer of protection for enterprise and individual users concerned about advanced persistent threats [1].
Bronnen
- www.wired.com
- appleinsider.com
- www.bleepingcomputer.com
- cyberscoop.com
- www.engadget.com
- www.pcmag.com