DarkSword Leak Puts Hundreds of Millions of iPhones Within Reach of Any Hacker

Hundreds of millions of iPhones and iPads are now vulnerable to a spyware tool that requires almost no technical skill to deploy.

The leaked “DarkSword” exploit kit, published to GitHub last week, targets devices running iOS 18 or earlier. According to Apple’s own data, roughly one-quarter of its 2.5 billion active devices fall into that category — potentially 600 million phones and tablets now open to attack by anyone who can copy and paste a few lines of code.

If your iPhone runs iOS 26, you’re fine. If you’ve enabled Lockdown Mode, you’re also protected. If neither applies, open Settings and update now. Apple released an emergency security patch on March 11 specifically for older devices that cannot run the latest operating system.

How It Works

DarkSword isn’t a technical masterpiece. It’s HTML and JavaScript — the same technologies that power basic websites. iVerify co-founder Matthias Frielingsdorf said the leaked code works “out of the box” with “no iOS expertise required,” an assessment Google’s researchers agreed with.

“You can copy and paste them and host them on a server in a couple minutes to hours,” said Frielingsdorf, who analyzed the leaked files. “They are way too easy to repurpose. I don’t think that can be contained anymore.”

Once installed, the spyware extracts contacts, messages, call history, and the iOS keychain, which stores Wi-Fi passwords and other sensitive credentials. Everything gets uploaded to a server controlled by the attacker. A security hobbyist using the handle matteyeux confirmed the exploit works against an iPad mini running iOS 18, posting proof on X.

From Government Tool to Public Weapon

DarkSword has a history. Researchers first identified it in a hacking campaign targeting Ukrainian users, allegedly linked to Russian government hackers. The code uploaded to GitHub appears to be a newer version, sharing infrastructure with earlier samples.

The leak follows a familiar pattern. Just weeks earlier, researchers discovered another iOS hacking toolkit called Coruna, developed by defense contractor L3Harris for U.S. government clients. Government-grade spyware keeps finding its way into public hands.

What makes DarkSword dangerous isn’t its sophistication — it’s its accessibility. When exploits require deep technical knowledge, the pool of potential attackers stays small. When they’re packaged as copy-paste JavaScript, that pool expands to anyone with a GitHub account and bad intentions. Google’s security researchers agreed with iVerify’s assessment that the tools are now trivially deployable.

What Users Should Do

Apple has already responded. The March 11 emergency update patches the vulnerability on devices stuck on older iOS versions. A spokesperson confirmed that updated software and Lockdown Mode both block the known attacks.

“Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products,” Apple spokesperson Sarah O’Rourke said.

The advice is straightforward: update your device. If you can’t update to iOS 26, apply the March 11 patch. If you’re a high-risk target — journalist, activist, executive — consider enabling Lockdown Mode, which restricts certain features to block sophisticated attacks.

The broader lesson is less comfortable. The market for iOS exploits is active, well-funded, and increasingly leaky. Tools built for governments don’t stay in government hands forever. When they spill into public code repositories, the consequences fall on ordinary users who just haven’t gotten around to that software update.

Sources

Someone has publicly leaked an exploit kit that can hack millions of iPhones — TechCrunch

Discussion (9)

nothingburger

This is a nothingburger. 'Hundreds of millions' is just a scary headline number. The article itself says you need iOS 18 or earlier AND you have to actually visit a malicious website. How many people are still on iOS 18 AND clicking random links? Apple already patched it anyway. Move along.

8 ↑

Ok but the article literally says 'copy and paste them and host them on a server in a couple minutes to hours.' Hours. That's not exactly trivial is it. And you still need someone to visit your site. This is a nothingburger with extra nothing.

4 ↑

sarah_k_927

wait so is my phone fine?? i have an iphone 13 and i updated to ios 26 last month. do i need to do the march 11 thing too or am i good

2 ↑

Linda M. Rojas

For those asking: if you're on iOS 26, you're already protected. The March 11 emergency patch is specifically for devices that can't upgrade to iOS 26 (older hardware). Lockdown Mode is worth considering if you're in a high-risk category, though it does limit some functionality like message attachments and wired device connections.

31 ↑

grumpydad1958

Back when I got my first cellphone it made CALLS. That's it. No spyware, no keychains getting stolen, no 'host them on a server in a couple minutes.' You just... called people. Now your phone has your entire life on it and any teenager with a GitHub account can grab it. Sigh.

14 ↑

deez_nutz_420

the government makes these tools then acts surprised when they leak lmao. L3Harris, russian hackers, its all the same racket. they dont want to fix this they want to sell the fix

6 ↑

plexiglass_eyebrow

Enabled lockdown mode last year after the pegasus stuff. Battery life took a small hit but honestly the peace of mind is worth it. Journalists and activists should absolutely be using it.

11 ↑

TampaSteve47

My mom still has an iphone 8. She uses it for facebook and candy crush. Theres no way shes updating anything. This is why these exploits work.

7 ↑

How It Works

From Government Tool to Public Weapon

What Users Should Do

Sources

Discussion (9)

More Stories