Binance warns of iOS zero-click exploit targeting wallets

A zero-click iOS flaw targeting crypto wallets hits iPhones on iOS 18.4–18.7, Binance reported. Google links it to the “DarkSword” chain. Apple fixed the bugs in iOS 18.7.3 and urges users to update.

On March 20, 2026, Binance warned of a zero-click exploit chain targeting iPhones running iOS 18.4 to 18.7, focusing on theft of cryptocurrency wallet data. The activity aligns with research that identifies the chain as “DarkSword.” Apple has released fixes in iOS 18.7.3 and is urging iPhone and iPad owners to update.

The exchange explained that the weakness operates at the operating-system level rather than within any single exchange or wallet app. According to its advisory, the compromise can trigger after a user visits a compromised website that appears legitimate. No taps are required for code to execute in the background and pull sensitive data, including wallet credentials. In the notice, Binance wrote, “This issue is not related to any exchange or wallet application, but is a system-level vulnerability in iOS.”

For related context, our Is Binance Safe in 2026 review outlines Binance’s security features and the limits of exchange protection when a device itself is compromised.

Details from Google’s Threat Intelligence Group describe DarkSword as a chain that delivers three payloads. “GhostKnife” and “GhostSaber” provide backdoor access and collect device data such as messages, location history and recordings. The third, “GhostBlade,” is aimed at cryptocurrency assets on the device. Google’s team wrote, “GHOSTBLADE is a dataminer written in JavaScript that collects and exfiltrates a wide variety of data from a compromised device. Data collected by GHOSTBLADE is exfiltrated to an attacker-controlled server over HTTP(S).”

Researchers found that GhostBlade looks for seed phrases, wallet database files and session credentials from major mobile wallet apps. After exfiltration, it can run a cleanup routine to remove traces of activity.

Google disclosed the underlying vulnerabilities to Apple, which addressed them in iOS 18.7.3. Apple is instructing users to install the latest release to block the exploit chain. Impacted builds include iOS 18.4, 18.5, 18.6 and 18.7. Devices on iOS 18.7.3 or later contain the fixes.

Google’s team has observed suspected state-aligned operators and commercial surveillance vendors using DarkSword since at least November 2025, with activity noted in Saudi Arabia, Turkey, Malaysia and Ukraine.

Binance is advising people who manage digital assets on mobile devices to update to iOS 18.7.3, avoid unverified links, review app permissions, and enable two-factor authentication and withdrawal whitelists on financial services.

The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.

Articles by this author