iPhone hacking techniques have sometimes been described almost like rare and elusive animals: Hackers have used them so stealthily and carefully against such a small number of hand-picked targets that they’re only rarely seen in the wild. Now a recent spate of espionage and cybercriminal campaigns has instead deployed those same phone-takeover tools, embedded in infected websites, to indiscriminately hack phones by the thousands. And one new technique in particular—capable of taking over any of hundreds of millions of iOS devices—has appeared on the web in an easily reusable form, putting a significant fraction of the world’s iPhone users at risk.
Researchers at Google and cybersecurity firms iVerify and Lookout on Wednesday jointly revealed the discovery of a sophisticated iPhone hacking technique known as DarkSword that they’ve seen in use on infected websites, capable of instantly and silently hacking iOS devices that visit those sites. While the technique doesn’t affect the latest updated versions of iOS, it does work against iOS devices running versions of Apple’s previous operating system release, iOS 18, which as of last month still accounted for close to a quarter of iPhones, according to Apple’s own count.
“A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website,” says Rocky Cole, iVerify’s cofounder and CEO. “Hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable.”
The iPhone-hacking campaign that used DarkSword has come to light just two weeks after the revelation of another, even more sophisticated and fully featured hacking toolkit known as Coruna was found in use by what Google describes as a Russian state-sponsored espionage group and other hacker groups. Although DarkSword appears to have been created by different developers from Coruna, the researchers found that it was used by those same Russian spies. Like Coruna, it too was embedded in components of otherwise legitimate Ukrainian websites, including online news outlets and a government agency site, to harvest data from visitors’ phones.
Facts Only
Researchers from Google, iVerify, and Lookout discovered a sophisticated iPhone hacking technique named DarkSword.
DarkSword is embedded in infected websites and can silently hack iOS devices visiting those sites.
The technique affects iOS devices running iOS 18, which accounts for nearly 25% of active iPhones as of last month.
DarkSword does not impact the latest updated versions of iOS.
The hacking campaign using DarkSword was revealed two weeks after the discovery of another toolkit, Coruna, linked to Russian state-sponsored espionage groups.
DarkSword was used by the same Russian-linked groups that deployed Coruna.
Both DarkSword and Coruna were embedded in legitimate Ukrainian websites, including news outlets and a government agency site.
The purpose of these attacks was to harvest data from visitors’ phones.
DarkSword and Coruna were developed by different teams but used by the same actors.
Hundreds of millions of iOS users remain vulnerable due to older devices or unpatched operating systems.
The attacks represent a shift from targeted hacking to indiscriminate, large-scale exploitation.
The exact number of compromised devices and the full scope of data theft are unknown.
Executive Summary
A sophisticated iPhone hacking technique called DarkSword has been discovered by researchers at Google, iVerify, and Lookout. This exploit, embedded in infected websites, can silently compromise iOS devices running older versions of the operating system, particularly iOS 18, which still accounts for nearly a quarter of active iPhones. The technique was used in indiscriminate attacks, targeting thousands of devices by leveraging legitimate Ukrainian websites, including news outlets and government sites, to harvest data from visitors. This follows the recent revelation of another advanced hacking toolkit, Coruna, linked to Russian state-sponsored espionage groups. While DarkSword and Coruna appear to have different developers, both were deployed by the same actors, raising concerns about the escalating scale and accessibility of iPhone exploitation tools. The vulnerabilities highlight the risks faced by users who delay software updates, as hundreds of millions of devices remain exposed to such attacks.
The discovery underscores a shift in cyber espionage tactics, moving from highly targeted operations to broader, indiscriminate campaigns. The reuse of these tools on public-facing websites suggests a lowering of the barrier to entry for cybercriminals and state actors alike. Apple’s ecosystem, often praised for its security, now faces scrutiny as older devices and unpatched systems become prime targets. The involvement of Russian-linked groups in both DarkSword and Coruna campaigns points to a coordinated effort to exploit geopolitical tensions, particularly in Ukraine, for intelligence gathering. However, the full extent of the damage and the identities of all affected users remain unclear, as does the potential for these tools to spread further.
Full Take
The strongest version of this narrative highlights a concerning evolution in cyber threats: the democratization of advanced hacking tools. The discovery of DarkSword and Coruna reveals how state-sponsored actors are leveraging indiscriminate, web-based attacks to compromise devices at scale, marking a departure from the traditional, highly targeted espionage operations. The fact that these tools were embedded in legitimate Ukrainian websites—including government and news platforms—suggests a deliberate strategy to exploit trust in institutional digital infrastructure. This aligns with broader patterns of cyber warfare, where geopolitical conflicts spill into the digital realm, targeting civilians and institutions alike. The narrative rightly emphasizes the vulnerability of users who fail to update their devices, framing this as a systemic risk rather than individual negligence.
Patterns detected: ARC-0024 Ambiguity (the scale of impact remains unspecified, leaving room for exaggerated fear), ARC-0043 Motte-and-Bailey (the shift from "rare, targeted attacks" to "indiscriminate hacking" could be framed as either a technical escalation or a moral panic, depending on the audience).
The root cause here is the tension between security and usability in tech ecosystems. Apple’s walled-garden approach has long been praised for its security, but the persistence of unpatched devices—whether due to user behavior, corporate policies, or hardware limitations—creates a vast attack surface. The narrative assumes that users *should* update their devices, but it doesn’t interrogate why so many don’t: Is it apathy, lack of awareness, or systemic barriers like forced obsolescence? Historically, this echoes the cat-and-mouse game between security researchers and exploit developers, where each breakthrough in defense is met with a more accessible offensive tool.
The implications for human agency are stark. If hacking tools become as reusable and widespread as DarkSword appears to be, the power dynamic shifts: no longer are only high-value targets at risk, but *anyone* visiting a compromised site. This erodes trust in digital infrastructure and could accelerate calls for more invasive security measures, further centralizing control over personal devices. The beneficiaries here are likely state actors and cybercriminals who gain efficiency in their operations, while the costs are borne by everyday users and organizations that must now defend against attacks that were once the domain of elite hackers.
Bridge questions: What structural changes—beyond individual user behavior—could mitigate these risks? How might Apple’s response to this threat reshape its relationship with users who rely on older devices? If these tools are being reused by multiple actors, what does that suggest about the underground market for exploits?
Counterstrike scan: A coordinated influence campaign would likely amplify the fear of indiscriminate hacking to justify expanded surveillance or security measures, framing this as an existential threat to personal privacy. The actual content, however, focuses on technical details and verified actors (Russian-linked groups), without overhyping the immediate danger. It avoids the hallmarks of a manipulated narrative, such as emotional language or calls for specific policy responses. The analysis remains grounded in observable facts, suggesting no alignment with a hypothetical attack playbook.
Sentinel — Human
The article exhibits strong human stylistic markers, including vivid metaphors, direct attributions, and a clear narrative voice, with no significant signs of synthetic generation.