Google Threat Intelligence has flagged a new crypto-stealing malware named “Ghostblade” targeting Apple iOS devices. Described as part of the DarkSword family of browser-based tools, Ghostblade is engineered to siphon private keys and other sensitive data in a rapid, discreet burst rather than a continuous, always-on presence on the device.

Written in JavaScript, Ghostblade activates, harvests data from the compromised device, and relays it to malicious servers before shutting down. Researchers note that the malware’s design makes it harder to detect, as it does not require additional plugins and ceases operation once data extraction completes. Google’s threat intelligence team highlights that Ghostblade also takes steps to avoid detection by deleting crash reports that would otherwise alert Apple’s telemetry systems.

Beyond private keys, the malware is capable of accessing and transmitting messaging data from iMessage, Telegram, and WhatsApp. It can also harvest SIM card information, user identity details, multimedia files, geolocation data, and access various system settings. The broader DarkSword framework, which Ghostblade belongs to, is cited by Google as part of an evolving set of threats illustrating how attackers continually refine their toolkit to target crypto users.

For readers who track threat trends, Ghostblade sits alongside other components of the DarkSword iOS exploit chain described by Google Threat Intelligence. The set of tools is observed within a wider context of crypto-threat evolution, including reports on iOS-based exploit kits used in crypto phishing campaigns.

Key takeaways

Ghostblade represents a JavaScript-based crypto-stealing threat on iOS, delivered as part of the DarkSword ecosystem and designed for fast data exfiltration.
The malware operates briefly and non-continuously, reducing the likelihood of long-term device footholds and complicating detection.
It can relay sensitive data from iMessage, Telegram, and WhatsApp, and can access SIM information, identity data, multimedia, geolocation, and system settings, while also erasing crash reports to evade discovery.
The development aligns with a broader shift in the threat landscape toward social-engineering and data-extraction tactics that exploit human behavior, not just software vulnerabilities.
February’s crypto-hacking losses dropped sharply to $49 million from $385 million in January, signaling a pivot from code-based intrusions to phishing and wallet-poisoning techniques, according to Nominis.

Ghostblade and the DarkSword ecosystem: what’s known

Google’s researchers describe Ghostblade as a component of the DarkSword family—a suite of browser-based malware tools that target crypto users by stealing private keys and related data. Ghostblade’s JavaScript core allows rapid interaction with the device while remaining lightweight and transient. This design choice is consistent with other recent on-device threats that favor quick data exfiltration cycles over prolonged infections.

In practice, the malware’s capabilities extend beyond mere key theft. By accessing messaging apps such as iMessage, Telegram, and WhatsApp, attackers can intercept conversations, credentials, and potentially sensitive attachments. The inclusion of SIM card information and geolocation access broadens the potential attack surface, enabling more comprehensive identity theft and fraud scenarios. Crucially, the malware’s ability to wipe crash reporting further obscures activity, complicating post-infection forensics for both victims and defenders.

As part of the broader DarkSword discourse, Ghostblade underscores the ongoing arms race in on-device threat intelligence. Google Threat Intelligence has framed DarkSword as one of the latest examples illustrating how malicious actors continue to refine iOS-focused attack chains, exploiting the strong trust users place in their devices and the apps they rely on for daily communication and finance.

From code-centric intrusions to human-factor exploits

The February 2026 crypto-hacking landscape reflects a marked shift in attacker behavior. According to Nominis, total losses from crypto hacks fell to $49 million in February, a steep drop from $385 million in January. The firm attributes the decline to a pivot away from purely code-based threats toward schemes that leverage human error, including phishing attempts, wallet poisoning attacks, and other social-engineering vectors that lead users to unwittingly reveal keys or credentials.

Phishing remains a central tactic. Attackers deploy fake websites designed to resemble legitimate platforms, often with URLs that mimic real sites to lure users into entering private keys, seed phrases, or wallet passwords. When users interact with these lookalike interfaces—whether by logging in, approving transactions, or pasting sensitive data—the attackers gain direct access to funds and credentials. This shift toward human-targeted exploits has implications for how exchanges, wallets, and users must defend themselves, emphasizing user education alongside technical safeguards.

The February data point aligns with a broader industry narrative: while code-level exploits and zero-days continue to mature, a growing share of the risk to crypto holdings comes from social-engineering exploits that exploit well-established human behaviors—trust, urgency, and the habitual use of familiar interfaces. For industry observers, the takeaway is not only about patching software vulnerabilities but also about hardening the human element of security through education, more robust authentication, and safer onboarding experiences for wallet users.

Implications for users, wallets, and builders

Ghostblade’s emergence—and the accompanying trend toward human-centered attacks—highlights several practical takeaways for users and developers alike. First, device hygiene remains critical. Keeping iOS up to date, applying app and browser hardening measures, and employing hardware wallets or secure enclaves for private keys can raise the bar against rapid exfiltration attacks.

Second, users should exercise heightened caution with messaging apps and web surfaces. The convergence of on-device data access with phishing-style deception means that even seemingly benign interactions—opening a link, approving a permission, or pasting a seed phrase—can become a gateway for theft. Multi-factor authentication, authentication apps, and biometric protections can help reduce risk, but education and skepticism about unexpected prompts are equally vital.

For builders, the Ghostblade case emphasizes the importance of anti-phishing controls, secure key management flows, and transparent user warnings around sensitive operations. It also reinforces the value of continuous threat intelligence sharing—especially around on-device threats that blend browser-based tools with mobile operating system features. Cross-industry collaboration remains essential to detect novel exploitation chains before they become widely effective.

What to watch next

As Google Threat Intelligence and other researchers continue to track DarkSword-linked activity, observers should monitor updates on iOS exploit chains and the emergence of similarly stealthy, short-duration malware. The February shift toward human-factor vulnerabilities suggests a future where defenders must bolster both technical safeguards and user-facing education to reduce exposure to phishing and wallet-poisoning schemes. For readers, the next milestones include any formal threat intel advisories on iOS crypto threats, new detections from security vendors, and how major platforms adapt their anti-phishing and fraud-prevention measures in response to these evolving playbooks.

In the meantime, keeping a watchful eye on threat intelligence backstops—such as Google Threat Intelligence’s reporting on DarkSword and related iOS exploits, along with ongoing analyses from Nominis and other blockchain security researchers—will be essential for assessing risk and refining defenses against crypto-focused cybercrime.