A few weeks ago, I addressed a concern in this space about Apple iPhone users claiming, “Wasn’t me, my phone was hacked.” My response was straightforward: unless they are a direct target of a nation-state, the iPhone was not secretly compromised.

Well... news recently broke about an iPhone exploit called Darksword, and it has me reevaluating my stance on the issue.

Yes, your iPhone can be hacked; no, you’re probably not interesting enough to justify the price tag.

That tension, between what’s possible and what’s probable, is getting lost in the conversation around advanced mobile exploits like DarkSword. Headlines and social media chatter tend to flatten everything into the same message: your phone is vulnerable at any time. Technically, that’s true. Practically, it’s sensational trash.

DarkSword isn’t a typical piece of malware you download or install. It’s an exploit chain, a carefully engineered sequence of vulnerabilities that allows an attacker to break into an iPhone, escalate privileges, and extract data. It’s not a virus but a master key that unlocks multiple doors in sequence. Once inside, it can deploy tools to collect messages, access apps, or monitor activity, often without leaving much evidence behind.

That kind of capability has not just been rare, but elite. Building something like this requires deep expertise, time, and significant financial investment. For years, these tools were almost exclusively in the hands of nation-states and a small number of highly specialized surveillance vendors. And because they were so valuable, they were used sparingly, against very specific, high-value targets.

The ceiling hasn’t changed. These are still highly sophisticated, expensive, and complex attacks. But the floor has dropped.

The challenge of developing these capabilities remains very high, but the difficulty of accessing them is decreasing. We’re observing the same trend that has occurred in other areas of cybercrime. There was a time when launching a ransomware attack required significant technical skill. Now, ransomware-as-a-service has made it much more accessible. The expertise hasn’t disappeared; it has been packaged, productized, and distributed.

Bad guys who previously could not develop an iPhone exploit chain can now sometimes access or lease that capability. This doesn’t mean “anyone” can do it, but it does expand the pool of potential attackers. It’s no longer limited to intelligence agencies and top-tier operators; it may now include smaller governments, private intelligence firms, and well-funded criminal groups.

Yes, it is now more possible for a broader range of attackers to use these tools. No, it is still not probable that they will be used against the average person.

There are a few reasons for that.

First, these exploits remain costly assets. Even as access becomes more available, it’s not free or simple. Using one involves risk for the attacker. Each deployment raises the likelihood that the exploit will be discovered, analyzed, and patched. Burning a valuable capability on a random target offers little economic or operational benefit.

Second, these attacks still require targeting. Even a “one-click” exploit—where a user simply taps a link—relies on getting that link in front of the right person at the right time. That involves reconnaissance, delivery methods, and often some level of social engineering. This is not spray-and-pray activity. It’s intentional.

Third, and what I’ve been saying for a long time, is that there are far easier ways to compromise people.

Most cybercriminals don’t need a complicated exploit chain to succeed. Phishing emails, fake login pages, password reuse, SIM swapping, and social engineering are much cheaper and easier to scale. If they aim for financial gain, these methods provide a higher return on investment. Why invest heavily in a complex iPhone exploit when a convincing text message can trick someone into giving up their credentials?

This is why, for the average iPhone user, the biggest risks remain the same as they were before: scams, phishing, weak passwords, and account takeovers. Not zero-day exploits.

But that doesn’t mean nothing has changed.

The important shift is in who might now be considered “worth it.”

Previously, the range of targets for these attacks was very limited. Now, it has expanded, not to include everyone, but to include more individuals than before. Those now at risk include journalists, business leaders, government workers, activists, and anyone with access to confidential information or financial assets, even if they don’t operate internationally.

Additionally, there is a risk of spillover. As these tools become more widely used, there’s an increased chance of errors—such as incorrect numbers, misidentified devices, or infrastructure that unintentionally exposes unintended users. This doesn’t suddenly make everyone a target, but it does add more unpredictability to where these capabilities might be exploited.

So where does that leave the everyday iPhone user?

The iPhone is not under constant threat from elite hackers. It is not being silently compromised at random. But it is also no longer accurate to assume that these capabilities exist only in distant, highly controlled environments.

Understand that advanced attacks exist. Recognize that they are becoming more accessible to a wider range of actors. But also keep in perspective that attackers are still making decisions based on cost, value, and likelihood of success. Most people simply do not present a target that justifies the use of such a tool.

And importantly, many of the protections against these advanced threats are straightforward.

Keeping your iPhone updated is one of the most effective things you can do. These exploit chains rely on vulnerabilities, and once those vulnerabilities are patched, the window of opportunity closes. Delaying updates means leaving the door open longer than necessary.

Apple has also introduced built-in protections designed specifically for high-risk scenarios, such as Lockdown Mode. While not necessary for most users, it’s a powerful option for those who may be more likely to be targeted.

Yes, an iPhone can be hacked.

But what matters far more is whether it’s likely - and for most people, it still isn’t.

So in your investigations, it’s something you need to account for… but probably not.

Speaking of Lockdown Mode

Nearly four years after its 2022 debut, Apple’s Lockdown Mode remains undefeated by mercenary spyware, with both Apple and independent investigators such as Amnesty International confirming that no devices with the feature activated have been successfully attacked. Citizen Lab researchers have documented instances where Lockdown Mode effectively prevented Pegasus and Predator spyware attacks. https://techcrunch.com/2026/03/27/apple-says-no-one-using-lockdown-mode-has-been-hacked-with-spyware/

Skimming Report

I’ll write more about this report, but I just don’t have the space today. FICO released the report “The State of Card Skimming in the US: 2025 Year In Review”. https://www.fico.com/blogs/state-card-skimming-us-2025-year-review

Cool Job

Data Scientist, Predictive Fraud Intelligence - VISA. https://jobs.smartrecruiters.com/Visa/744000117342711-data-scientist-predictive-fraud-intelligence

Fraud Risk Governance Lead - Customers Bank. https://customersbank.wd1.myworkdayjobs.com/customersbankcareers/job/Malvern-PA/Fraud-Risk-Governance-Lead_REQ-2026-851

Cool Tool

IRS charity search - https://apps.irs.gov/app/eos/

How charitable is a charity? Charity Navigator - https://www.charitynavigator.org/

International phone number look-up. https://www.thisnumber.com/

Irrelevant

The U.S. Army increased its maximum enlistment age to 42. Meh, I’m still too old, but of course, I couldn't have done it at 42 either. Kudos to anyone over 40 who accepts this challenge! https://abcnews.com/Politics/army-extends-maximum-recruitment-age-42-allowing-older/story?id=131411519

Sign Off

I had to cut the news section today due to space limitations. It will be back next week.

Do you know what a DTMF attack is? Or how they use it to steal the balance from gift cards? Come back next week to learn more.

Matt

“IF YOU WAIT FOR EVERYTHING TO FALL INTO PLACE BEFORE YOU ACT, YOU WILL NEVER MOVE.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.