Ask Runable forDesign-Driven General AI AgentTry Runable For Free
Runable
Back to Blog
Technology9 min read

Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild | WIRED

A powerful iPhone-hacking technique known as DarkSword has been discovered in use by Russian hackers. It can take over devices running iOS 18 that simply vis...

hacksappleiphonecybersecurityhacking+2 more
Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild | WIRED
Listen to Article
0:00
0:00
0:00

Hundreds of Millions of i Phones Can Be Hacked With a New Tool Found in the Wild | WIRED

Overview

Hundreds of Millions of i Phones Can Be Hacked With a New Tool Found in the Wild

i Phone hacking techniques have sometimes been described almost like rare and elusive animals: Hackers have used them so stealthily and carefully against such a small number of hand-picked targets that they're only rarely seen in the wild. Now a recent spate of espionage and cybercriminal campaigns has instead deployed those same phone-takeover tools, embedded in infected websites, to indiscriminately hack phones by the thousands. And one new technique in particular—capable of taking over any of hundreds of millions of i OS devices—has appeared on the web in an easily reusable form, putting a significant fraction of the world's i Phone users at risk.

Details

Researchers at Google and cybersecurity firms i Verify and Lookout on Wednesday jointly revealed the discovery of a sophisticated i Phone hacking technique known as Dark Sword that they've seen in use on infected websites, capable of instantly and silently hacking i OS devices that visit those sites. While the technique doesn't affect the latest, updated versions of i OS, it does work against i OS devices running versions of Apple's previous operating system release, i OS 18, which as of last month still accounted for close to a quarter of i Phones, according to Apple's own count.

“A vast number of i OS users could have all of their personal data stolen simply for visiting a popular website,” says Rocky Cole, i Verify's cofounder and CEO. “Hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable.”

The i Phone-hacking campaign that used Dark Sword has come to light just two weeks after the revelation of another, even more sophisticated and fully featured hacking toolkit known as Coruna was found in use by what Google describes as a Russian state-sponsored espionage group and other hacker groups. Although Dark Sword appears to have been created by different developers from Coruna, the researchers found that it was used by those same Russian spies. Like Coruna, it too was embedded in components of otherwise legitimate Ukrainian websites, including online news outlets and a government agency site, to harvest data from visitors' phones.

Beyond this Russian spy campaign, according to Google, Dark Sword was spotted earlier when hackers used it to compromise the phones of victims in Saudi Arabia, Turkey, and Malaysia. In the case of the Turkish and Malaysian targets, Google writes in its blog post that customers of the Turkish security and surveillance firm PARS Defense appear to have used the intrusion tool. All of that suggests that Dark Sword has already proliferated to several different hacking groups, Google says, and more are likely to adopt it.

In fact, i Verify cofounder and researcher Matthias Frielingsdorf notes that the Russian hackers who most recently used Dark Sword in their espionage campaign left the full, unobscured Dark Sword code—complete with explanatory comments in English that describe each component and include the “Dark Sword" name for the tool—available on those sites for anyone to access and reuse. That carelessness, he says, practically invites other hackers to pick up the tool and target other i Phone users. “Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It's as simple as that,” says Frielingsdorf. “It's all nicely documented, also. It's really too easy.”

WIRED reached out to Apple for comment on the researchers' findings, but the company didn't provide comment. Google declined to comment beyond the blog post it released about its Dark Sword findings. WIRED also reached out to PARS Defense via its X account but didn't immediately receive a response.

According to Lookout, Dark Sword is designed to steal data from vulnerable i Phones that include passwords and photos; logs from i Message, Whats App, and Telegram; browser history; Calendar and Notes data; and even data from Apple's Health app. Despite the apparent espionage focus of the hacking campaign, Dark Sword also steals users' cryptocurrency wallet credentials, suggesting the hackers may have carried out a possible side business in for-profit cybercrime.

Rather than install spyware that persists on users' phones, Dark Sword uses stealthier techniques that are more often seen in “fileless” malware that typically target Windows devices, hijacking the legitimate processes in an i Phone's operating system to steal data. “Instead of using a spyware payload to brute force your way through the file system—which leaves tons of artifacts of exploitation that are pretty easy to detect—this just uses system processes the way they're meant to be used,” i Verify's Cole says. “And it leaves far fewer traces.”

That fileless technique also means that a Dark Sword infection doesn't persist on a phone after it reboots, Cole says. Instead, it steals data from the phone within the first few minutes after it's hacked—what he calls a “smash-and-grab” approach.

While the Coruna i OS hacking toolkit exposed earlier this month works against i OS versions 13 through 17, Dark Sword works against most versions of i OS 18, the previous version of Apple's mobile operating system before the company released i OS 26 last fall. (In fact, Dark Sword contains two distinct exploit “chains" that take advantage of different vulnerabilities in earlier and later versions of i OS 18, depending on which one a target device is running.) That means many more phones remain at risk to Dark Swords than Coruna, especially given the relatively slow adoption and unpopularity of i OS 26, which has been criticized for new features such as a “liquid glass” interface some users have complained is overly animated and reduces legibility.

Both Apple itself and Stat Counter, which tracks operating system adoption, released numbers last month showing that close to a quarter of i Phone users remain on i OS 18. To update your i Phone, tap Settings, then General, then Software Update. (And you can find steps for limiting liquid glass here.) Both i Verify and Lookout say their security apps also can detect if a phone is compromised with Dark Sword in the form they've observed it.

Who created Dark Sword remains a mystery. But the researchers who found it agree it almost certainly wasn't built by the Russian hackers who deployed it. They instead suspect a “broker” firm that buys and sells hacking techniques. Aside from the English-language comments in Dark Sword's code—probably written to explain its use to a customer—the clearest clue about its origin is its association with Coruna: Tech Crunch reported last week that Coruna was created by Trenchant, a subsidiary of US government contractor L3 Harris that creates hacking techniques for the US government. Former Trenchant employee Peter Williams pleaded guilty last year to selling the company's tools to a Russian broker firm called Operation Zero, which has since been sanctioned by the US government.

While there's no clear sign that Dark Sword was also created by Trenchant or built for use by the US government, its deployment by the same Russian hackers who likely bought access to Coruna suggests that Dark Sword, too, may have been sold by Operation Zero or another broker in hacking techniques. (Operation Zero didn't respond to WIRED's request for comment.) Beyond the Russian spies who used it, Coruna was also later used by cybercriminals to steal cryptocurrency from Chinese-speaking victims, an even more reckless use of an i Phone hacking toolkit—and a potential sign that Operation Zero will resell its offerings to any hacker group willing to pay.

The back-to-back appearance of two different, powerful i Phone hacking techniques, possibly both sold by a broker firm with little discretion, suggests an increasingly active market for the resale of exploits that once were considered extremely rare and used only for highly targeted attacks against individual victims.

“People assumed that it was just going to be journalists or activists or maybe an opposition politician that was targeted, and that this wasn't a concern for a normal citizen," says Justin Albrecht, who leads mobile threat intelligence at Lookout. “Now that we see i OS exploits being delivered through an unscrupulous broker, there's a whole market here for this to get to cybercriminals” who will use it with far less discretion.

i Verify's Cole argues that the fact that Dark Sword was put to use so brazenly, with no real attempt to prevent its discovery on the sites where it was embedded, also suggests that i OS hacking techniques are now attainable enough on that black market that hackers are willing to use them indiscriminately—even if the result is their exposure.

“If this one gets burned, I'll just go get another one,” Cole says, describing the hackers' apparent thinking. “They know there's more where this came from.”

Updated at 10:30 am ET, March 18, 2026: Added additional information released by Google.

In your inbox: WIRED's most ambitious, future-defining stories

In your inbox: WIRED's most ambitious, future-defining stories

Big Story: The worst thing that could happen to the ISS

Big Story: The worst thing that could happen to the ISS

College campuses are in upheaval over faculty ties to Epstein

College campuses are in upheaval over faculty ties to Epstein

Key Takeaways

  • Hundreds of Millions of i Phones Can Be Hacked With a New Tool Found in the Wild

  • i Phone hacking techniques have sometimes been described almost like rare and elusive animals: Hackers have used them so stealthily and carefully against such a small number of hand-picked targets that they're only rarely seen in the wild

  • Researchers at Google and cybersecurity firms i Verify and Lookout on Wednesday jointly revealed the discovery of a sophisticated i Phone hacking technique known as Dark Sword that they've seen in use on infected websites, capable of instantly and silently hacking i OS devices that visit those sites

  • “A vast number of i OS users could have all of their personal data stolen simply for visiting a popular website,” says Rocky Cole, i Verify's cofounder and CEO

  • The i Phone-hacking campaign that used Dark Sword has come to light just two weeks after the revelation of another, even more sophisticated and fully featured hacking toolkit known as Coruna was found in use by what Google describes as a Russian state-sponsored espionage group and other hacker groups

Cut Costs with Runable

Cost savings are based on average monthly price per user for each app.

Which apps do you use?

Apps to replace

ChatGPTChatGPT
$20 / month
LovableLovable
$25 / month
Gamma AIGamma AI
$25 / month
HiggsFieldHiggsField
$49 / month
Leonardo AILeonardo AI
$12 / month
TOTAL$131 / month

Runable price = $9 / month

Saves $122 / month

Runable can save upto $1464 per year compared to the non-enterprise price of your apps.

Start saving with Runable todayContact us for any pricing questions