Someone has publicly leaked an exploit kit that can hack millions of iPhones

Last week, cybersecurity researchers discovered a hacking campaign targeting iPhone users using an advanced hacking tool called DarkSword. Now someone has leaked a new version of DarkSword and published it on the code sharing site GitHub.

Researchers warn that this will allow any hacker to easily use tools to target iPhone users who are using older versions of Apple’s operating systems that have not yet upgraded to its latest iOS 26 software. This may affect hundreds of millions of iPhones and iPads in continuous use, according to Apple’s data on outdated devices.

“This is bad. It’s very easy to reuse,” Matthias Frielingsdorf, founder of iVerify, told TechCrunch on Monday. “I don’t think that will be out of control. So we have to wait for criminals and others to start planting this.”

Frielingsdorf said the new versions of the DarkSword spyware share the same infrastructure as those he and his iVerify colleagues previously analyzed, although the files are slightly different. Files uploaded to GitHub are not complex, just HTML and JavaScript, he said, meaning anyone can copy and paste them and host them on a server “within minutes to hours.”

“The actions will work out of the box,” Frielingsdorf said. “No iOS expertise required.”

Kimberly Samra, a spokeswoman for Google, which previously analyzed the DarkSword exploit, said the company’s researchers agree with Frielingsdorf’s assessment.

A security hobbyist who goes by the handle matteyeux also told TechCrunch that it’s really trivial to use the leaked DarkSword samples. Matteeyeux wrote in a post on X on Monday that he was able to hack a small iPad tablet running iOS 18, the previous generation of the DarkSword-vulnerable operating system, using a “wild” sample of DarkSword circulating on the Internet.

Apple spokeswoman Sarah O’Rourke told TechCrunch that the company is aware of the exploit for devices running old and outdated operating systems and issued an emergency update on March 11 for devices that cannot run the latest versions of iOS.

“Keeping your software up-to-date is the single most important thing you can do to maintain the security of your Apple products,” said O’Rourke, adding that devices with updated software were not at risk of these reported attacks and that Lockdown Mode would also block these specific attacks.

A spokesperson for Microsoft, which owns GitHub, did not immediately respond to a request for comment.

The code, which TechCrunch is not contacting, as it could be used in an active attack, contains several comments that explain how the exploit works and how to use it.

One comment, possibly written by one of the developers working on DarkSword, says the exploit “reads and extracts law-related files from iOS devices via HTTP,” referring to stealing information from a person’s iPhone or iPad and sending the data over the Internet to a server controlled by the attacker.

“This payload must be included in a process that has access to the file system,” reads the comment.

In one case, the code refers to “post-exploit activity” and describes the process after a malware has gained access to a person’s phone and grabs its contents, including contacts, messages, call history, and iOS keychain, which stores Wi-Fi passwords and other secrets, and dumps them on a remote server.

Another file contains instructions to upload data to a popular Ukrainian clothing website, although TechCrunch could not immediately determine why. DarkSword was allegedly used by Russian government hackers against Ukrainian targets.

This particular spyware works specifically against iPhones and iPads running iOS 18, according to iVerify, Google, and Lookout, which also analyzed the DarkSword malware.

According to Apple’s own numbers, about one-third of all iPhone and iPad users are still running iOS 18 or earlier on their device. With over 2.5 billion active devices, that’s roughly the equivalent of hundreds of millions of people whose devices are vulnerable to DarkSword attacks.

That’s why Frielingsdorf recommends everyone to upgrade their iPhone’s operating system.

The discovery of DarkSword came a few weeks after researchers discovered another advanced iPhone hacking tool known as Coruna. As TechCrunch reported, Coruna was originally developed by defense contractor L3Harris, whose Trenchant division makes hacking tools for the US government and its allies.