After DarkSword was leaked and uploaded to public channels such as GitHub, it was quickly "taken over" by attackers. Multiple media outlets have confirmed that its wild exploitation is targeting specific scenarios: Users browsing the web on devices running iOS versions 18.4 to 18.7 through Safari may be silently guided into an attack chain when mistakenly clicking on sites disguised as pornographic live streams, Tron energy stations, refund processes, or vulnerability warnings. On May 15, 2026, Slow Mist founder Yu Xian publicly released an article that refocused this risk on a more specific group—users who browse the web using Safari on older iOS versions and also hold cryptocurrency wallets are specifically named as current targets of DarkSword attacks. This means that once they perform asset-related operations in the browser, system-level vulnerabilities and social engineering inducements will compound to amplify potential losses. Almost simultaneously, in April 2026, security researchers from California, USA, used Anthropic's Mythos model to conduct security testing on macOS, discovering two software vulnerabilities within about 5 days and submitting reports to Apple. Apple responded publicly, stating that it is reviewing and verifying these reports and emphasizing that security is a top priority. The discussions around Mythos in the industry are gradually heating up: As AI tools raise the efficiency of vulnerability discovery to a new level, and high-risk attack frameworks like DarkSword flow into public channels, the technological race between attackers and defenders is forced into a fast lane, while cryptocurrency users who click on unknown links and engage in wallet transactions via browsers on their mobile devices stand at the intersection of this dual security shock.
DarkSword Leaked: High-Risk iOS Attacks
As AI boosts the efficiency of vulnerability discovery, DarkSword, originally a "high-risk battlefield" iOS attack framework, has reportedly appeared on public code hosting platforms such as GitHub and has been appropriated by attackers for wild exploitation. Reports indicate that DarkSword specifically targets Safari vulnerabilities on devices running iOS versions 18.4 to 18.7, allowing attackers to construct malicious sites using a ready-made framework without needing to refine a complete exploit chain, thus enabling them to target older iOS users. This effectively transfers capabilities that were previously limited to advanced threat scenarios to a larger pool of ordinary attackers.
The more immediate threat is that this framework has already been used in specific inducement scenarios. Public information shows that DarkSword attackers disguise their websites as pornographic live streams, Tron energy stations, refund process pages, or even "vulnerability warning" webpages to guide users to open malicious links in Safari. If the target device is still on an older iOS version and the user operates a cryptocurrency wallet in the browser, a closed loop between underlying Safari vulnerabilities and social engineering inducements will be formed. On May 15, 2026, Yu Xian publicly warned that such attacks primarily target users who browse the web using Safari on older iOS and hold cryptocurrency wallets. For mobile token holders, this means that the "high-risk exploit chain" that only existed in technical reports is now haunting every strange webpage they may click on daily.
From Porn Sites to Energy Stations: Specifically Targeting Wallet Holders
In the exploit chain of DarkSword, the first strike is often not code, but rather language. Several media outlets have mentioned that on one end, attackers set up websites disguised as pornographic live streams, using phrases like "HD unlock" and "private room" as entry points, while on the other end, they disguise themselves as Tron (TRON) energy stations, refund process pages, or even "vulnerability warning" webpages, claiming to help users replenish energy, recover failed orders, or mitigate wallet risks. Only users who genuinely hold cryptocurrency and have actual needs in these scenarios will patiently click through; this design effectively filters out cryptocurrency wallet users with context and then uses inducement to push them to malicious pages opened in Safari.
Yu Xian's reminder clearly highlights this chain: The target is the group on older iOS, with Safari as the default browser, who also hold cryptocurrency wallets. For such users, the risk lies not only in "clicking the wrong link" but also in the fact that when switching to the browser on their phones to view what are claimed to be energy stations, refunds, or security announcements, if their system version falls within the reported affected range, they might trigger underlying vulnerability exploitation without sensing it, thus threatening the safety of their wallet assets. In other words, as long as they continue to browse these types of wallet-related webpages in Safari on older iOS, social engineering inducement and system-level attacks will quietly complete a loop in their pockets.
5 Days to Discover macOS Vulnerabilities
Almost simultaneously with the iOS risks in users' pockets, the desktop environment has also come under scrutiny. According to reports from The Wall Street Journal and other foreign media, in April 2026, a security research team from California, USA, conducted security tests on macOS while introducing Anthropic's Mythos model as a supporting tool. Related reports indicate that this team discovered two software vulnerabilities in macOS within about 5 days and submitted a report to Apple. Apple subsequently responded, stating that security is the company's top priority and that it is currently reviewing and verifying the vulnerability reports from this research team.
This pace contrasts sharply with traditional manual vulnerability discovery, where past rounds of security testing for complex desktop systems often required researchers to spend weeks auditing and verifying. Now, with the assistance of large models, candidate attack surfaces are quickly filtered out, and the scope that truly requires manual deep dives has been compressed. Discussions in the industry surrounding Mythos are pointing towards the same conclusion: AI tools have significantly improved vulnerability discovery efficiency, but this improvement affects both attackers and defenders equally. Today, it helps defenders identify and report weaknesses in macOS within 5 days; tomorrow it can equally be used by attackers to batch scan undisclosed security gaps. The acceleration of the competition between attackers and defenders utilizing the same set of AI tools constitutes a long-term systemic variable beyond the DarkSword incident.
The Security Paradox Interwoven with AI and Attack Frameworks
With DarkSword reported as leaked on public channels such as GitHub and already used in wild exploits, an attack framework that should have only appeared in advanced threat scenarios has suddenly been placed in the “arsenal” accessible to any attacker. According to media reports, it targets Safari vulnerabilities on iOS versions 18.4 to 18.7, with attackers using pornography, Tron energy stations, refund processes, and vulnerability warnings as bait to guide cryptocurrency wallet users step by step to malicious pages. Almost concurrently, security researchers from California, USA, using Anthropic's Mythos model, conducted security tests on macOS, discovering two software vulnerabilities and reporting them to Apple, which responded that it was reviewing these reports and emphasizing that security is a priority. A leaked mobile attack framework and newly discovered desktop vulnerabilities aided by AI sketch a reality where a single company exposes high-risk weaknesses simultaneously on both mobile and desktop; for ordinary users, particularly those accustomed to operating wallets in mobile browsers, this means they must fend off social engineering inducements while also bearing the double risk of underlying system vulnerabilities being exploited remotely.
In this situation, where both offense and defense are accelerated by AI, the security paradox sharpens: DarkSword proves that high-risk capabilities are being decentralized, while Mythos demonstrates the accelerated effect of AI in vulnerability discovery; the combination of both results in shorter attack windows and broader attack surfaces. The security community and major firms may be forced to adjust their pace—on one hand, relying more on automated tools for code audits and system self-checks to shorten the time from discovery to patching; on the other hand, attempting to redraw a defensive line between public attack frameworks and AI-aided vulnerability discovery by strengthening responsible disclosure of vulnerabilities, increasing rewards, and compressing support cycles for older systems. However, whether this defensive line can keep up with the speed of tool diffusion and model upgrades remains an open variable.
What Wallet Holders Should Do Now
For users who are already browsing the web on older iOS versions using Safari and have cryptocurrency wallets installed on their phones, the first step they can take is straightforward: Following the advice of Slow Mist's founder Yu Xian, upgrade to the latest system version as soon as possible to reduce the chance of being hit by the DarkSword attack chain. Before that, avoid clicking on unknown links using the mobile browser, especially those related to pornography, Tron energy stations, refund pages, and so-called “vulnerability warnings.” Moreover, do not connect wallets, sign transactions, or input mnemonic phrases on these pages; it is best to limit wallet operations to independent apps or hardware devices. The desktop environment should not be taken lightly either; the vulnerabilities discovered by the California research team using Anthropic's Mythos model are still awaiting validation from Apple. Apple has stated that "security is the top priority," and patches are expected to be pushed through system updates. Cryptocurrency holders should minimize high-risk operations like large transfers and frequent signing in Mac browsers until patches are rolled out and should pay attention to subsequent security announcements to complete updates promptly. Future variables to watch are clear: whether the public attack framework of DarkSword will be reused by more phishing sites and wallet scenarios, whether Apple's repair rhythm for iOS and macOS can keep up, and whether AI security tools like Mythos can be integrated faster into browsers and wallets to preemptively scan for such system-level risks. These changes will directly determine the scope of the next wave of attacks and the survivability of cryptocurrency holders.
Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin On-chain: https://aicoin.com/hyperliquid
AiCoin Exclusive Hyperliquid Benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin Exclusive Aster Benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
