DarkSword, an advanced hacking toolkit previously used by government spies and cybercriminals, has leaked online. The code is now available on GitHub, making it dangerously easy for anyone to launch attacks targeting iPhones and iPads running older versions of iOS. Security researchers confirm that DarkSword exploits vulnerabilities in devices running iOS 18.4 and 18.7, putting millions at risk of data theft, including messages, browser data, location history, and even cryptocurrency.
This leak is a major threat for everyday users. Unlike previous targeted campaigns-such as those against Uyghur Muslims in China or activists in Hong Kong-DarkSword’s exploits are now accessible to anyone with basic web skills. The attacks are indiscriminate: simply visiting a compromised website could let hackers take full control of a device and siphon off private data. The toolkit is written in HTML and JavaScript, making it plug-and-play for would-be attackers. Researchers have already demonstrated successful hacks on their own devices using the leaked code.
Who’s at risk and why it matters
If your iPhone or iPad isn’t running the latest software, you’re a potential target. Apple states that users with the most recent versions of iOS 15 through iOS 26 are protected. However, almost one in three Apple device owners haven’t updated, leaving millions exposed. The leak means attacks could scale fast, with no technical barrier for bad actors to weaponize the code.
For players, creators, and anyone storing sensitive information on their Apple devices, the risk is real. Stolen data could include game accounts, payment info, personal messages, and location history. The situation echoes the 2017 NSA exploit leak that fueled the global WannaCry ransomware attack, showing how quickly government-grade tools can spiral out of control once public.
Where did DarkSword come from?
Parts of the related Coruna toolkit were developed by Trenchant, a hacking unit within U.S. defense contractor L3Harris. These exploits were originally sold to the U.S. government and its allies but eventually found their way to Russian and Chinese cybercriminals. Kaspersky linked some Coruna exploits to Operation Triangulation, a suspected government-led cyberattack on Russian iPhone users. The origin of DarkSword itself remains murky, but researchers have tracked attacks using it in China, Malaysia, Turkey, Saudi Arabia, and Ukraine.
What’s different now is the public leak. The DarkSword code was posted to GitHub, where it remains available for download. GitHub told TechCrunch it will not remove the code unless it’s directly linked to active malware campaigns, citing educational value for the security community. This means the threat isn’t going away soon.
What you should do now
- Update your iPhone or iPad to the latest iOS version immediately. iVerify recommends iOS 18.7.6 or iOS 26.3.1 to mitigate all known vulnerabilities in these attack chains.
- Be cautious about clicking unknown links or visiting unfamiliar websites, especially if you haven’t updated your device.
- If you’re unable to update (older hardware), consider minimizing sensitive activity on that device until a fix is available.
The bottom line: This isn’t a drill. The DarkSword leak puts everyday users-not just high-profile targets-at risk. Update your Apple devices now, and stay alert for further security advisories. If you’re part of the one-third still running outdated iOS, you’re in the crosshairs.