Leaked iOS spyware has some cybersecurity professionals raising urgent alarms about potential mass iPhone compromises, a development that pairs ominously with the recent discovery of two sophisticated iOS exploit kits.

At the same time, some other experts say Apple’s defensive features for iPhones remain elite. But several factors have created unprecedented circumstances: the public accessibility of a version of DarkSword, shortly after the discovery of the original version of DarkSword and the earlier discovery of a similar kit known as  Coruna, and a  growing market for iPhone exploits driven by their high value as targets.

Allan Liska, field chief information security officer at Recorded Future, said he was worried about what the leaked DarkSword version could do to “democratize” iPhone exploits.

“Right now, iPhone exploitations are among the most expensive to research/implement so they have been, largely, the realm of nation-states,” he said. “If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface.”

Google, iVerify and Lookout released research last week on DarkSword’s discovery, centered on Ukraine. Google also said it saw targeting in Saudi Arabia, Turkey and Malaysia. And that was before a version turned up on GitHub, a development TechCrunch first reported and Google and iVerify have analyzed. (The week before, iVerify and Google uncovered Coruna. Google declined to comment further for this story.)

“It’s extremely alarming that this leaked out on GitHub,” said Rocky Cole, co-founder of iVerify. “I would assume that it’s being used all around the world, and including here in the United States.”

Hundreds of millions of iPhones running iOS 18 could be vulnerable to DarkSword.

“I think that the top line issues here are pretty clear: people who have devices that are vulnerable should upgrade ASAP,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “It is very likely that these vulnerabilities are being used right now to exploit vulnerable devices at scale, which is unusual for Apple products.”

The propagation problem

Coruna was concerning enough for Apple that it took the rare step of backporting security updates to still older versions of iOS, Cole said. The fear, he said, was that it might be wormable — capable of spreading from one device via text message to everyone in a phone’s contact list.

But Cole said Apple hasn’t released similar security-focused updates to iOS 18, for reasons he doesn’t know.

Apple has emphasized the patches it has issued, urged users to update their phones and touted Lockdown Mode as a defense against spyware.

“Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and every day Apple’s security teams around the world work tirelessly to protect users’ devices and data,” said Apple spokesperson Sarah O’Rourke. “Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products, and devices with updated software were not at risk from these reported attacks.”

IPhones’ widespread use makes them high-value targets, fueling a thriving market for exploits. Coruna and DarkSword are indicators of this growing demand. 

“It’s time for organizations to start thinking of mobile security the way they think about desktop security, which is to say everyone knows how to secure their laptop,” Cole said. And for iPhone exploit hunting in particular, “you’re starting to see people do it at a mass level.” Furthermore, the resale market is such that exploits that once were exclusive are no longer, and AI makes it even easier to customize them in the code, he said. 

DarkSword has drawn federal attention: The Cybersecurity and Infrastructure Security Agency this week added vulnerabilities that DarkSword exploits to the list that federal agencies must patch.

The number of people still using iOS 18 is large, up to 25% of all iPhones. Cole said several factors are contributing to that, such as users being leery of iOS 26’s onboard artificial intelligence or the Liquid Glass interface.

Said Galperin: “There are many reasons why people do not keep their devices up to date, so when I tell people ‘just patch your stuff’ I think it is important to realize that there are circumstances under which this is easier said than done.”

Proven defenses despite expanding risks

Despite the concerns, Cole credited iPhone for its high security standards, in particular for its app store.

For Natalia Krapiva, senior tech-legal counsel at Access Now, a key takeaway is the worrisome proliferation of commercial spyware and cyber intrusion capabilities.

“This is exactly what human rights activists and digital security researchers have been warning governments and companies about: In the absence of effective regulation for the industry, these exploits will get out and end up in the hands of adversaries like Russia, China, Iran, or, as in the case of DarkSword, leaked online for any criminal to use,” she said.

On the other hand, Apple’s Lockdown Mode and Memory Integrity Enforcement are top-notch defensive measures, Krapiva said. We’ve yet to see a Lockdown Mode-enabled iPhone being infected with spyware, she said.

“I think we’ll keep seeing more attempts to exploit both Apple and Android devices as they improve their software and hardware security,” she said. “It’s the old cat-and-mouse game.”

Adam Boynton, senior enterprise strategy manager at Jamf, said what’s happened with Coruna and DarkSword is evidence of Apple’s success.

“What’s encouraging here is that Apple’s security model works,” he said. “Coruna skips devices running the latest iOS versions and avoids those with Lockdown Mode enabled entirely. That’s a strong validation of the defences Apple has built.

“DarkSword reinforces the same principle,” he continued. “Where Coruna targeted older iOS versions, DarkSword demonstrates that even relatively current releases can be targeted by determined actors. Apple moved quickly to patch the vulnerabilities involved, and devices running the latest iOS are protected.”

The post DarkSword’s GitHub leak threatens to turn elite iPhone hacking into a tool for the masses appeared first on CyberScoop.

Authorities from 14 countries shut down LeakBase, seized its domains and arrested multiple people allegedly involved in the cybercrime marketplace for stolen data and hacking tools, the Justice Department said Wednesday.

LeakBase had more than 142,000 members, ranking it among the world’s largest forums for cybercriminals. The site, which was available on the open web, contained a massive archive of hacked databases including hundreds of millions of account credentials, officials said. 

The stolen databases, which included data from U.S. corporations and individuals, were linked to many high-profile attacks, according to officials. Data seized by authorities revealed a trove of credit and debit card numbers, banking account and routing information, credentials for account takeovers, sensitive business records and personally identifiable information. 

“The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages and IP logs for evidentiary purposes,” Brett Leatherman, assistant director at the FBI’s cyber division, said in a statement. 

Law enforcement agencies involved in the globally coordinated takedown operation, which began Tuesday, executed search warrants, made arrests and interviewed people in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain and the United Kingdom.

Officials did not immediately name any suspects, but some of the activity occurred in San Diego and Provo, Utah. Officials said the FBI’s field offices in San Diego and Salt Lake City, which is investigating the case, participated in the operation domestically. The Provo Police Department was also involved.

“Hiding behind a screen does not shield cybercriminals from accountability,” Robert Bohls, special agent in charge at the FBI Salt Lake City field office, said in a statement.

Authorities identified multiple users who believed they were operating anonymously by seizing the forum’s database.

“This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people and organizations worldwide,” Bohls added. “Together, we will continue to identify, dismantle, and hold accountable those who seek to profit from cybercrime, no matter where they operate.”

Europol, which hosted the coordinated operation in The Hague, described LeakBase as a “central hub in the cybercrime ecosystem” that specialized in leaked databases and stealer logs. The English-language site, which has been active since 2021, contained more than 32,000 posts and more than 215,000 private messages. 

Authorities collectively engaged in around 100 enforcement actions globally and took measures against 37 of the platform’s most active users Tuesday, according to Europol.

The technical disruption phase got underway Wednesday and the site now displays a seizure page. Officials from Canada, Germany, Greece, Kosovo, Malaysia and The Netherlands also support the investigation.

“Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals,” Leatherman said. “The FBI will continue to defend the homeland by dismantling the key services that cybercriminals use to facilitate their attacks.”

The post Authorities from 14 countries shut down major cybercrime forum LeakBase appeared first on CyberScoop.