Google Flags ‘Ghostblade’ Malware Targeting Crypto Users

Google Threat Intelligence has discovered a new malware called “Ghostblade,” part of the “DarkSword” suite, designed to steal crypto private keys and sensitive user data on Apple iOS devices. Written in JavaScript, Ghostblade activates briefly to extract information before shutting down, making detection difficult.

By Tristan R.

Senior Author · March 21, 2026

2 min

Key takeaways

Google Threat Intelligence has discovered a new malware called “Ghostblade,” part of the “DarkSword” suite, designed to steal crypto private keys and sensitive user data on Apple iOS devices.

Written in JavaScript, Ghostblade activates briefly to extract information before shutting down, making detection difficult.

A timeline of the evolving malware threats targeting Apple iOS devices and the cybersecurity patches released to address the threats.: Google Threat Intelligence Data Theft and Capabilities The malware can access messaging apps, including iMessage, Telegram, and WhatsApp, as well as SIM card details, identity data, multimedia files, geolocation, and system settings.

Google Threat Intelligence has discovered a new malware called “Ghostblade,” part of the “DarkSword” suite, designed to steal crypto private keys and sensitive user data on Apple iOS devices. Written in JavaScript, Ghostblade activates briefly to extract information before shutting down, making detection difficult.

Data Theft and Capabilities

The malware can access messaging apps, including iMessage, Telegram, and WhatsApp, as well as SIM card details, identity data, multimedia files, geolocation, and system settings. It also deletes crash reports from compromised devices to avoid detection by Apple’s security systems. Ghostblade operates without plug-ins and stops after extracting data, highlighting its stealth-focused design.

Trends in Crypto Cybercrime

While crypto hack losses fell from $385 million in January to $49 million in February, malicious actors increasingly target users through phishing, wallet poisoning, and other human-error exploits. Fake websites mimicking legitimate services often embed malware like Ghostblade, enabling attackers to access crypto assets and sensitive personal information.

*Private users bore the brunt of hacking, phishing, and other crypto-theft attempts in February.:* *Nominis*

Cybersecurity researchers continue to monitor threats like DarkSword to protect users and institutional investors from evolving malware and phishing attacks in the digital asset ecosystem.

Disclaimer

This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.

How markets are positioning

Live market reaction

🛢️WTI Crude

+3.4% ▲

★Gold

+1.8% ▲

₿Bitcoin

-1.8% ▼

$DXY

+0.6% ▲

Disclaimer

This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.

Exclusive partner offer

Start trading
with BloFin today

Up to $500 sign-up bonus and zero-fee trading on your first 30 days.

Buy crypto now

ⓘ You will be redirected to BloFin

#News

About the author

Tristan R.

8+ years covering crypto markets, macro, and geopolitics. Previously at Decrypt and CoinDesk. Focused on the intersection of digital assets and traditional finance.

Google Flags ‘Ghostblade’ Malware Targeting Crypto Users

Data Theft and Capabilities

Trends in Crypto Cybercrime

Disclaimer

Start tradingwith BloFin today

Start trading
with BloFin today