A hacking group strongly suspected of ties to the Russian government has been actively exploiting iPhone users in Ukraine with sophisticated new tools designed to steal personal data and, potentially, cryptocurrency. Cybersecurity researchers at Google, iVerify, and Lookout have identified the campaign, linked to a previously uncovered operation, and dubbed the new toolkit “Darksword.”
Escalation of iPhone Hacking Capabilities
The discovery of Darksword follows closely after the revelation of another advanced hacking tool, Coruna, earlier in March. Coruna was initially developed by U.S. defense contractor L3Harris for Western intelligence agencies (including the Five Eyes alliance) before being adopted by Russian spies and Chinese cybercriminals. The emergence of two such tools suggests that highly capable iPhone hacking spyware is more accessible than previously believed. Notably, both campaigns have focused almost exclusively on Ukrainian targets, indicating a degree of restraint despite the tools’ global potential.
Darksword: A “Smash-and-Grab” Operation
Unlike surveillance-focused spyware designed for long-term access, Darksword appears optimized for rapid data exfiltration. The toolkit steals passwords, photos, messages (from WhatsApp and Telegram), and browsing history, then quickly disappears. Researchers estimate the malware remains active on a device for only “minutes,” depending on the amount of data stolen. This suggests a primary focus on immediate intelligence gathering rather than prolonged monitoring.
“The most likely explanation is that the hackers were interested in learning about the victims’ pattern of life, which didn’t require them to do constant surveillance, but rather a smash-and-grab operation,” says Rocky Cole, co-founder of iVerify.
Dual Motives: Espionage and Financial Gain
Darksword also incorporates capabilities for stealing cryptocurrency from popular wallet apps, an unusual addition for a suspected state-backed hacking group. While researchers are unsure if the hackers actively sought financial gain, the malware’s ability to steal crypto suggests either a financially motivated operation or a widening scope of Russian cyber activity. The modular design of Darksword, allowing for easy expansion of functionality, further indicates professional development.
Attribution and Implications
Security experts overwhelmingly point to the Russian government as being behind Darksword. Lookout researchers confirm the same group responsible for the Coruna campaign is likely involved. Justin Albrecht of Lookout describes the actor as “well-funded and connected,” conducting attacks aligned with Russian intelligence requirements. The campaign itself was broad, infecting Ukrainian users who visited compromised websites while within the country.
The increasing sophistication and accessibility of iPhone hacking tools raise serious concerns about the future of mobile security. The fact that these tools originated with Western contractors before being adopted by adversaries underscores the dangers of dual-use technology in the cyber domain. This latest campaign reinforces the need for heightened vigilance and improved defenses against state-sponsored hacking.
