Cybersecurity teams have uncovered a Russia-aligned operation using advanced iPhone hacking tools to plunder personal data from Ukrainians, in a campaign that blended nation-state tradecraft with smash-and-grab theft. Researchers at Google, iVerify, and Lookout say the activity cluster, tracked as UNC6353, deployed a new toolkit nicknamed Darksword to quietly raid phones for sensitive information and, unusually for a state actor, target cryptocurrency wallets.
The operation relied on compromised Ukrainian websites and strict geofencing so only users inside the country were exposed, underscoring a focused surveillance-and-theft push amid the ongoing war. While the tools were technically sophisticated, the attacks were brief by design, minimizing forensic footprints while maximizing data haul.
What Researchers Found in the Darksword iPhone Spyware Campaign
According to analysis shared by Google’s threat researchers and the mobile security firms iVerify and Lookout, Darksword was engineered to extract high-value data at speed: passwords and authentication tokens, photos, message histories from WhatsApp, Telegram, and SMS, as well as browser history and device details. Lookout’s team assessed that the malware typically emptied targets of useful data within minutes before self-removing, a tactic that reduces the chance of detection while still revealing victims’ “pattern of life.”
Investigators linked this activity to a broader series of Ukrainian-focused iPhone exploits, including an earlier campaign involving a separate toolkit known as Coruna. The recurrence of independent toolchains aimed at iOS users suggests that high-end mobile spyware is more accessible and less rarefied than many defenders once believed.
How the iPhone Attacks Worked in Ukraine via Web Exploits
The campaign appears to have used a watering-hole strategy: booby-trapped Ukrainian websites delivered exploits to visiting iPhones, with delivery restricted to devices geolocated inside Ukraine. While technical details remain limited publicly, investigators point to web-based exploit chains—likely targeting WebKit or related components—that enabled on-device data theft without requiring physical access.
Unlike many mobile implants built for long-term espionage, Darksword emphasized rapid exfiltration and volatility. Its modular design allowed operators to deploy or update capabilities as needed, a hallmark of professional development. The toolkit also probed cryptocurrency apps, extracting wallet data and, where possible, moving funds—an atypical objective for state-linked actors that raises the prospect of mixed motives or budget-supplementing theft.
Researchers note that the blend of espionage and financial crime is becoming more common as sophisticated groups take cues from both nation-state and cybercriminal ecosystems. On iOS specifically, brief, non-persistent payloads are an effective way to bypass modern defenses and limit forensic evidence while still achieving mission goals.
Attribution and Motives Behind the Russia-Aligned Campaign
Both iVerify and Lookout assess with high confidence that the same Russia-aligned threat cluster behind Coruna is responsible for the Darksword operation. Rocky Cole, co-founder of iVerify, has said the campaign’s design points to operators interested in quickly mapping victims’ lives rather than staking out long-term access—an intelligence-driven objective that aligns with wartime surveillance priorities.
Coruna’s backstory also highlights the murky supply chain behind mobile spyware. Former L3Harris employees have described Coruna as a capability originally developed for Western government customers, including members of the Five Eyes alliance. Whether Darksword shares lineage, developers, or brokers with Coruna remains unproven, but the professional, modular architecture hints at a commercial-grade origin and an active market for iOS exploits.
Why It Matters for Mobile Security and User Privacy
For years, iPhones were viewed by many users as safer by default. Recent campaigns—from mercenary spyware to state-backed operations—show that perception is outdated. Google’s security teams have documented dozens of in-the-wild zero-day exploits across platforms annually, and mobile devices are now a prime intelligence target because they concentrate personal communications, photos, location, and financial access in one place.
Darksword’s fleeting “hit-and-run” approach underscores a broader shift: attackers no longer need persistence if a quick pass can expose backups, authentication cookies, message histories, and wallet seeds. The result is severe privacy harm even when traditional indicators of compromise are scarce.
Practical Steps Users in Ukraine Can Take to Stay Safer
Researchers recommend immediate, practical defenses:
- Keep iPhones on the latest iOS release and enable automatic updates.
- Avoid sideloading or installing unknown configuration profiles.
- Consider Lockdown Mode if you face elevated risk.
- For cryptocurrency, use hardware wallets where feasible and secure recovery phrases offline.
- Revoke unused app permissions.
- Treat unexpected website prompts with caution—especially on local sites that could be compromised.
Ukraine’s CERT-UA has repeatedly warned about mobile-focused activity since the invasion, and Apple regularly ships rapid security patches when exploitation is found. Still, as Darksword demonstrates, determined actors will keep investing in iPhone exploit chains. The best defense remains fast patching, minimal attack surface, and a healthy skepticism of unsolicited links and prompts—particularly when the stakes include your identity, your contacts, and your coins.
