Google Threat Intelligence Flags Ghostblade iOS Crypto-Stealing Malware

Google Threat Intelligence says it found “Ghostblade,” a JavaScript-based crypto-stealing malware targeting iOS users. Reported in March 2025, Ghostblade can run via iOS web browsing, using social engineering and obfuscation to bypass app-store style checks. After infection, Ghostblade seeks device permissions, then harvests high-value targets: wallet seed phrases/private keys, exchange authentication cookies, SMS or authenticator-based 2FA codes, and browser data such as saved passwords and browsing history. It communicates with command-and-control servers using encrypted channels, with possible time-delayed exfiltration and remote updates to extend control. Google and CrowdStrike observed real-world infection patterns. Likely entry vectors include compromised ad networks, phishing pages impersonating crypto services, and malicious search-result redirects. The threat also expands beyond crypto theft by collecting SIM-related data, identity documents, contacts, and location history—enabling SIM swapping and follow-on phishing and identity fraud. For traders, this Ghostblade update is primarily a custody and account-risk event rather than a fundamental market driver. It raises the chance of credential theft and exchange account fraud headlines, which can hurt sentiment in the short term. Separately, a Nominis report noted crypto losses fell to $49 million in February from $385 million in January, suggesting attackers may be shifting toward phishing and wallet-poisoning tactics that exploit human error rather than purely code-based exploits.