Security researchers have uncovered DarkSword, a sophisticated cyberattack that can silently steal everything on your iPhone in minutes, with nothing but a visit to a website.

If your iPhone is running iOS 18.4 through 18.6.2, you may be at risk right now. The fix is simple: update to iOS 18.7.3 or later.

Subscribe to my YouTube channel

What Is DarkSword?

Imagine a burglar who can walk through your locked front door, rifle through every drawer in your house, photograph everything valuable, and disappear, all without making a sound, and without you ever opening the door for them. That is essentially what DarkSword does to an iPhone.

Discovered by security firm Lookout in March 2026, DarkSword is a full iOS exploit chain and payload targeting iPhones running iOS versions between 18.4 and 18.6.2. lookout It was built to silently break into iPhones, steal a sweeping range of personal information, and then vanish, leaving almost no trace behind.

What makes it especially alarming is the delivery mechanism. You don’t have to download a suspicious app. You don’t have to click a phishing link that looks obviously fake. Simply visiting a compromised legitimate website is enough to trigger the attack, a technique known as a watering hole attack. Even if a user needs to be lured to the site, social engineering defensive training is not effective since the infection URL is legitimate. lookout

“The infection URL is legitimate. Even security-aware users have no way to detect it.” - Lookout Threat Labs, March 2026

Who Is At Risk?

DarkSword specifically targets iPhones running iOS versions 18.4 through 18.6.2. If your phone is on any of these software versions and you haven’t updated yet, you may be vulnerable.

While the attacks observed so far have targeted Ukrainian users, particularly visitors to Ukrainian news sites and government websites, DarkSword’s use of exploits affecting newer iOS versions could potentially affect hundreds of millions of devices. lookout Any iPhone user on an affected iOS version should treat this as a personal concern.

People most at risk include iPhone users running iOS 18.4 through 18.6.2 who haven’t yet updated, people who use cryptocurrency apps like Coinbase, Binance, MetaMask, Ledger, and Trezor, journalists, activists, or government employees who may be of interest to foreign intelligence services, business professionals whose phones hold access to corporate email and files, and anyone who stores sensitive passwords, financial details, or private messages on their iPhone.

That last point deserves emphasis. DarkSword doesn’t just steal obvious targets like bank apps. It goes after your photos, your notes, your location history, your calendar, even your health data. For most people, a complete copy of everything on their phone would be deeply invasive, regardless of whether they consider themselves a “high-value” target.

What Does It Actually Steal?

Once DarkSword gets into a device, it takes a hit-and-run approach, collecting and exfiltrating targeted data within seconds or at most minutes, followed by cleanup. lookout Here is the full picture of what it is designed to take: saved passwords, emails from all accounts, photos and videos, iCloud Drive files, Telegram messages, WhatsApp messages, SMS and iMessages, your address book and contacts, call history, Safari browsing history and cookies, Wi-Fi network passwords, location and location history, notes, calendar events, health data, cryptocurrency wallet data, SIM and cellular information, and a list of all installed apps.

After all the data has been exfiltrated, the staged files are cleaned up and the process exits cleanly, lookout making it very difficult to know after the fact whether you were ever compromised.

Who Is Behind This?

The attackers have been given the designation UNC6353 by researchers, described as a likely Russian threat actor. lookout Here is what is known.

Researchers believe this group is likely connected to Russian intelligence interests, based on its targets (Ukrainian government and news sites) and tactics that mirror known Russian cyber operations. However, the group also targets cryptocurrency wallets, a clearly financially motivated target, indicating a dual-use approach that is an important insight into the threat actor’s motives. lookout

They are assessed to have access to a supply of high-quality iOS exploit chains, likely developed for tier-1 commercial surveillance vendors, indicating they are likely well funded and may have connections to exploit brokers such as Matrix LLC / Operation Zero. lookout They bought this weapon rather than building it themselves. Sophisticated cyberweapons are now available on a shadowy secondary market, putting nation-state-grade hacking tools into the hands of groups with money but not necessarily deep technical expertise.

Analysis of patterns suggests that AI tools were used in the creation of at least some of the implant code, and it appears probable that UNC6353 relied on AI support to add additional functionality to purchased tooling. lookout

Researchers assess that UNC6353 is a well-funded, well-connected but technically less sophisticated threat actor whose goals include both financial gain and espionage aligned with Russian intelligence requirements. lookout

How to Protect Yourself

Devices running the most recent versions of iOS (18.7.3 or later for iOS 18) are not susceptible to this threat or the vulnerabilities exploited by it. lookout Updating is the single most important thing you can do.

Beyond updating, here are practical steps to reduce your risk.

First, update your iPhone right now. Updating to iOS 18.7.3 or later closes the exact vulnerabilities DarkSword uses.

Second, enable automatic updates. Turn on automatic software updates so your phone stays protected without you having to remember. Go to Settings, then General, then Software Update, then Automatic Updates, and turn both toggles on.

Third, be cautious on unfamiliar websites. DarkSword spreads via compromised legitimate websites, so standard advice about avoiding suspicious links won’t always help. Minimizing browsing on unfamiliar sites, especially on public Wi-Fi, reduces exposure.

Fourth, secure your cryptocurrency. Cryptocurrency exchanges targeted by DarkSword include Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC, and it also targets wallets such as Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. lookout If you use any of these, treat this as a high-priority alert and consider moving funds to a hardware wallet not connected to any device.

Fifth, change critical passwords. If you believe your device may have been at risk, consider changing your most sensitive passwords, including email, banking, and crypto, from a separate updated device.

Sixth, consider enabling Lockdown Mode. If you are a high-risk individual such as a journalist, activist, executive, or government employee, Apple’s Lockdown Mode significantly reduces the attack surface on your device. Go to Settings, then Privacy and Security, then Lockdown Mode. Note that it restricts some features.

How to Update Your iPhone

Updating your iPhone takes less than 15 minutes in most cases. Here is exactly how to do it.

Step 1: Open the Settings app on your iPhone (the grey icon with gears).

Step 2: Scroll down and tap General.

Step 3: Tap Software Update. Your phone will check for available updates, which may take a moment.

Step 4: If an update is available, tap “Update Now,” or “Download and Install” if it hasn’t downloaded yet.

Step 5: Enter your iPhone passcode if prompted.

Step 6: Your iPhone will download the update and restart. Make sure you’re connected to Wi-Fi with at least 50% battery, or plug it in. The process typically takes 5 to 15 minutes.

Step 7: After the restart, go back to Settings, then General, then Software Update, to confirm you are now running iOS 18.7.3 or later.

As a bonus step, while in the Software Update screen, tap Automatic Updates and turn on both “Download iOS Updates” and “Install iOS Updates” so this happens on its own in future.

If your iPhone is too old to receive iOS 18, older devices may not receive security patches for newer vulnerabilities. If your device cannot update beyond iOS 16 or 17, consider speaking with your employer’s IT department or evaluating whether it may be time to upgrade your hardware.

The protection is available, free, and takes less time than making a cup of coffee. Share this with anyone who uses an iPhone.

Based on research published by Lookout Threat Labs, March 18, 2026. For informational purposes only. Always consult official sources for the latest guidance.