iPhone Owners in South Africa Prime Targets for DarkSword Hacking KitWhat You Need to Know

A convergence of factors has made iPhone owners in South Africa a prime target for a new hacking technique, alongside users in other emerging markets such as Türkiye and Saudi Arabia.

What Is DarkSword?

DarkSword is a hacking kit designed specifically to steal sensitive information from iPhone users.

It attacks via infected websites that users visit in Safari. When a user visits an infected site, multiple exploits are run to obtain kernel read and write access. Code is then executed through a main orchestrator component that injects a JavaScript engine into iOS services that would normally need admin access.

The engine breaches:

• App Access

• Wi-Fi

• Springboard

• Keychain

• iCloud

Then it runs a data-stealing module.

What Data Is Stolen?

According to BleepingComputer, the module siphons:

• Saved passwords

• Photos, including screenshots and hidden images

• WhatsApp and Telegram databases

• Crypto wallets (Coinbase, Binance, and more)

• SMS messages

• Address book

• Location history

• Browser history

• Website cookies

• Wi-Fi passwords

• Apple Health data

• Calendar

• Notes

• Installed applications

• Connected accounts

Once the data theft is completed, DarkSword wipes temporary files and exitsindicating it was not designed for long-term espionage.

The South African Context

Attack attempts using infostealers have been growing exponentially in Sub-Saharan Africa, with more than 95 million on-device attacks in the first half of 2025.

• Spyware attacks in the region more than doubled

• Password-stealing attacks occurred 64% more often

• Around 21% of South African users faced malware delivered via password stealers and spyware

Crypto Wallet Target

The dangers go beyond stolen passwords. Threat actors are specifically seeking cryptocurrency wallets and blockchain keys from connected iOS apps.

Over 6 million South Africans (9.44% of the population) are estimated to have crypto assets, according to 2024 research by Triple-A.

Vulnerable iOS Versions

DarkSword targets iPhone users running iOS 18.4 through iOS 18.7.

In South Africa, less than 50% of iPhone owners have updated to the latest version of Apple’s smartphone OS, iOS 26, according to StatCounter.

Apple devices have a more than 20% share of all mobile web traffic in South Africaup from 17% last yearindicating growing popularity.

The First Attacks

iPhone users in Saudi Arabia were the first documented to be attacked using DarkSword. Victims were breached when they visited a website impersonating Snapchat.

The kit is so well-designed that it is being used by defence companies and even sovereign nations to steal information, with examples in Türkiye, Malaysia, and Russia.

Has Apple Fixed It?

Apple has yet to roll out any fixes for the exploit, likely because it can be protected against by updating to the latest version of iOS.

There is a chance Apple may port a fix for a similar exploit used in the past to help users with older devices that are unable to updatebut nothing has been confirmed.

The Bigger Picture

A hacker known as “UNC6353” reportedly used the DarkSword kit in December 2025 to steal information from targets in Ukraine. This threat actor is believed to be a Russian spy.

Russia is alleged to provide harbour to cybercriminals as long as they don’t target Russian individuals, businesses, or state organisations.

Michael van Landingham, a former CIA computer expert, told the Associated Press: “Like almost any major industry in Russia, cybercriminals work kind of with tacit consent, sometimes explicit consent, of security services.”

The Bottom Line

DarkSword is here. It targets iPhones. It steals everythingpasswords, photos, crypto wallets, messages.

South African iPhone users are in the crosshairs.

Your defence

Update to iOS 26. Don’t click suspicious links. And assume that your phone is only as secure as the software running on it.