DarkSword Leak Puts Millions of iPhone Users at Risk — What You Need to Know
A leaked iOS exploit toolkit called DarkSword is now publicly available on GitHub, making it easier than ever to target unpatched Apple devices. Here’s what it means and how to stay safe.
Last week, cybersecurity researchers uncovered a large-scale campaign targeting users of outdated Apple devices. The attacks are powered by a tool called DarkSword — previously used only by advanced threat actors — which has now been leaked online and is freely available on GitHub.
Copy, Paste… Attack
DarkSword is an iOS exploit toolkit that is surprisingly simple to use. The leaked files consist mainly of HTML and JavaScript, meaning almost anyone can deploy it.
Attackers can simply copy the files, upload them to a server, and within minutes begin targeting iPhone and iPad users — no deep knowledge of iOS internals required.
This dramatically lowers the barrier to entry for cybercriminals.
From State-Sponsored Tool to Public Weapon
DarkSword is far from amateur software.
According to analysts from Google and Lookout, the toolkit was previously used by a Russian state-sponsored hacking group (UNC6353) to surveil targets in Ukraine.
Interestingly, the leaked source code contains components that send stolen data to a Ukrainian clothing store website. This suggests that attackers had previously compromised the site and used it as a Command-and-Control (C2) server.
This isn’t an isolated case. Earlier this month, another exploit kit — Coruna, reportedly developed by L3Harris for the U.S. government — also made headlines after being exposed.
What Can DarkSword Do?
Once a device is compromised, DarkSword can silently extract sensitive data, including:
- Contacts
- Messages
- Call history
- iOS Keychain data (including Wi-Fi passwords and stored credentials)
Unlike tools such as Pegasus, DarkSword is not designed for long-term surveillance. Instead, it operates as a “quick hit” toolkit — infiltrate, steal data, and exit.
Notably, it also includes features for cryptocurrency theft.
Who Is at Risk?
DarkSword targets devices running iOS 18 or older, especially those without Lockdown Mode enabled.
According to Apple, around 25% of users are still on iOS 18 or earlier versions — meaning hundreds of millions of devices could be vulnerable.
The good news:
Devices updated to iOS 26 (released October 2025) are not affected.
Apple also released a security patch on March 11 for older devices that cannot upgrade to iOS 26.
(Fun fact: Apple skipped iOS 19 entirely and aligned version numbering with the current year.)
How to Protect Yourself
If you own an iPhone, here’s what you should do immediately:
- Update your device to the latest available version (iOS 26)
- If your device doesn’t support iOS 26, install the latest security patch (March 11 release)
- Enable Lockdown Mode — a powerful security feature that reduces attack surfaces by blocking suspicious scripts and connections
Final Thoughts
The DarkSword leak highlights a growing trend: powerful cyber weapons are no longer limited to nation-states. Once such tools become public, they can be used by virtually anyone.
For users, this means one thing — keeping your device updated is no longer optional. It’s essential.