PANews reported on May 15th that SlowMist's Cosmos posted on the X platform that the high-risk iOS attack framework DarkSword has been publicly leaked on GitHub and other channels, and is being used for large-scale data theft attacks targeting cryptocurrency wallet holders. This attack program targets iOS versions 18.4 to 18.7 devices, using malicious web pages to exploit vulnerabilities in the Safari browser to achieve remote code execution, thereby stealing sensitive user data.

Attackers are using decoy websites such as fake pornographic live streams, Tron energy stations, and refund processes to launch attacks. If iPhone users running older versions of iOS visit such websites using the Safari browser (even without closing the page), their private keys and mnemonic phrases in plaintext may be stolen by malicious JavaScript code when they unlock their wallet app, and then transmitted back in real time through channels such as Telegram bots.