Google Threat Intelligence has flagged a new crypto-stealing malware named “Ghostblade” targeting Apple iOS devices. Described as part of the DarkSword family of browser-based tools, Ghostblade is engineered to siphon private keys and other sensitive data in a rapid, discreet burst rather than a continuous, always-on presence on the device.

Written in JavaScript, Ghostblade activates, harvests data from the compromised device, and relays it to malicious servers before shutting down. Researchers note that the malware’s design makes it harder to detect, as it does not require additional plugins and ceases operation once data extraction completes. Google’s threat intelligence team highlights that Ghostblade also takes steps to avoid detection by deleting crash reports that would otherwise alert Apple’s telemetry systems.

Beyond private keys, the malware is capable of accessing and transmitting messaging data from iMessage, Telegram, and WhatsApp. It can also harvest SIM card information, user identity details, multimedia files, geolocation data, and access various system settings. The broader DarkSword framework, which Ghostblade belongs to, is cited by Google as part of an evolving set of threats illustrating how attackers continually refine their toolkit to target crypto users.

For readers who track threat trends, Ghostblade sits alongside other components of the DarkSword iOS exploit chain described by Google Threat Intelligence. The set of tools is observed within a wider context of crypto-threat evolution, including reports on iOS-based exploit kits used in crypto phishing campaigns.

Key takeaways

• Ghostblade represents a JavaScript-based crypto-stealing threat on iOS, delivered as part of the DarkSword ecosystem and designed for fast data exfiltration.
• The malware operates briefly and non-continuously, reducing the likelihood of long-term device footholds and complicating detection.
• It can relay sensitive data from iMessage, Telegram, and WhatsApp, and can access SIM information, identity data, multimedia, geolocation, and system settings, while also erasing crash reports to evade discovery.
• The development aligns with a broader shift in the threat landscape toward social-engineering and data-extraction tactics that exploit human behavior, not just software vulnerabilities.
• February’s crypto-hacking losses dropped sharply to $49 million from $385 million in January, signaling a pivot from code-based intrusions to phishing and wallet-poisoning techniques, according to Nominis.

Ghostblade and the DarkSword ecosystem: what’s known

Google’s researchers describe Ghostblade as a component of the DarkSword family—a suite of browser-based malware tools that target crypto users by stealing private keys and related data. Ghostblade’s JavaScript core allows rapid interaction with the device while remaining lightweight and transient. This design choice is consistent with other recent on-device threats that favor quick data exfiltration cycles over prolonged infections.

In practice, the malware’s capabilities extend beyond mere key theft. By accessing messaging apps such as iMessage, Telegram, and WhatsApp, attackers can intercept conversations, credentials, and potentially sensitive attachments. The inclusion of SIM card information and geolocation access broadens the potential attack surface, enabling more comprehensive identity theft and fraud scenarios. Crucially, the malware’s ability to wipe crash reporting further obscures activity, complicating post-infection forensics for both victims and defenders.

As part of the broader DarkSword discourse, Ghostblade underscores the ongoing arms race in on-device threat intelligence. Google Threat Intelligence has framed DarkSword as one of the latest examples illustrating how malicious actors continue to refine iOS-focused attack chains, exploiting the strong trust users place in their devices and the apps they rely on for daily communication and finance.

From code-centric intrusions to human-factor exploits

The February 2026 crypto-hacking landscape reflects a marked shift in attacker behavior. According to Nominis, total losses from crypto hacks fell to $49 million in February, a steep drop from $385 million in January. The firm attributes the decline to a pivot away from purely code-based threats toward schemes that leverage human error, including phishing attempts, wallet poisoning attacks, and other social-engineering vectors that lead users to unwittingly reveal keys or credentials.

Phishing remains a central tactic. Attackers deploy fake websites designed to resemble legitimate platforms, often with URLs that mimic real sites to lure users into entering private keys, seed phrases, or wallet passwords. When users interact with these lookalike interfaces—whether by logging in, approving transactions, or pasting sensitive data—the attackers gain direct access to funds and credentials. This shift toward human-targeted exploits has implications for how exchanges, wallets, and users must defend themselves, emphasizing user education alongside technical safeguards.

The February data point aligns with a broader industry narrative: while code-level exploits and zero-days continue to mature, a growing share of the risk to crypto holdings comes from social-engineering exploits that exploit well-established human behaviors—trust, urgency, and the habitual use of familiar interfaces. For industry observers, the takeaway is not only about patching software vulnerabilities but also about hardening the human element of security through education, more robust authentication, and safer onboarding experiences for wallet users.

Implications for users, wallets, and builders

Ghostblade’s emergence—and the accompanying trend toward human-centered attacks—highlights several practical takeaways for users and developers alike. First, device hygiene remains critical. Keeping iOS up to date, applying app and browser hardening measures, and employing hardware wallets or secure enclaves for private keys can raise the bar against rapid exfiltration attacks.

Second, users should exercise heightened caution with messaging apps and web surfaces. The convergence of on-device data access with phishing-style deception means that even seemingly benign interactions—opening a link, approving a permission, or pasting a seed phrase—can become a gateway for theft. Multi-factor authentication, authentication apps, and biometric protections can help reduce risk, but education and skepticism about unexpected prompts are equally vital.

For builders, the Ghostblade case emphasizes the importance of anti-phishing controls, secure key management flows, and transparent user warnings around sensitive operations. It also reinforces the value of continuous threat intelligence sharing—especially around on-device threats that blend browser-based tools with mobile operating system features. Cross-industry collaboration remains essential to detect novel exploitation chains before they become widely effective.

What to watch next

As Google Threat Intelligence and other researchers continue to track DarkSword-linked activity, observers should monitor updates on iOS exploit chains and the emergence of similarly stealthy, short-duration malware. The February shift toward human-factor vulnerabilities suggests a future where defenders must bolster both technical safeguards and user-facing education to reduce exposure to phishing and wallet-poisoning schemes. For readers, the next milestones include any formal threat intel advisories on iOS crypto threats, new detections from security vendors, and how major platforms adapt their anti-phishing and fraud-prevention measures in response to these evolving playbooks.

In the meantime, keeping a watchful eye on threat intelligence backstops—such as Google Threat Intelligence’s reporting on DarkSword and related iOS exploits, along with ongoing analyses from Nominis and other blockchain security researchers—will be essential for assessing risk and refining defenses against crypto-focused cybercrime.

TLDR:

• Bitcoin trades near $70K ahead of Eid 2026, aligning with recent consolidation ranges.
  
• Historical Eid periods show mixed outcomes despite recurring increases in trading activity.
  
• Market participation often rises during Eid due to higher liquidity and festive spending.
  
• Price movements during Eid reflect broader cycles rather than fixed seasonal direction.

Bitcoin is trading near $70,000 as Eid 2026 approaches, reflecting steady market conditions. Historical data show that Eid periods often bring increased activity, though price direction varies each year depending on broader market cycles and liquidity conditions.

Bitcoin Holds Near $70K Ahead of Eid 2026

Recent market data places Bitcoin at $69,764.71, with a 0.23% daily increase. Estimates suggest a range between $65,000 and $75,000 during Eid 2026. This aligns with the consolidation seen throughout March.

A post from Syndicate Official noted similar expectations. The tweet pointed to current trading levels between $68,000 and $70,000. Such projections reflect cautious market positioning ahead of the holiday period.

Compared to past Eid cycles, current levels remain elevated. In 2024, Bitcoin traded near $69,350 during Eid. Meanwhile, 2023 and 2022 recorded lower levels at $27,270 and $38,520. This contrast shows stronger market positioning entering 2026.

Earlier cycles also showed upward movement. Bitcoin reached $2,590 in 2017 and $8,720 in 2020 during Eid periods. These shifts followed broader market expansions rather than isolated seasonal drivers.

Comparing Past Eid Cycles and Market Behavior

Historical patterns show increased trading activity during Eid. Liquidity often rises due to bonuses and festive spending. As a result, short-term buying pressure tends to increase during this period.

However, price direction has not remained consistent. While some years recorded gains, others showed declines despite higher participation. This indicates that external market conditions continue to guide price movement.

Social media discussions frequently mention the “Eid effect” in crypto markets. These narratives often point to higher retail engagement. Still, data suggest that broader trends remain the dominant factor in price behavior.

Institutional players also monitor these periods closely. Increased retail activity can create short bursts of volatility. Even so, overall direction depends on macro trends and ongoing market cycles.

While ETF outflows grabbed attention, about $13b quietly moved into crypto via OTC, prime brokerage, and private funds, showing institutional demand runs deeper than ETF dashboards.

While Bitcoin (BTC) spot ETF outflows dominated market commentary this week — including a $129 million net redemption on Wednesday that snapped a seven-day inflow streak — a far larger and largely unreported capital movement was taking place in parallel: approximately $13 billion flowing into crypto through institutional channels that operate entirely outside the ETF wrapper and below the radar of most retail-facing data providers.

The figure, highlighted in today’s Daily Chain briefing, refers to capital moving through prime brokerage desks, OTC trading facilities, structured products, and private fund vehicles — the infrastructure layer that services sovereign wealth funds, family offices, hedge funds, and corporate treasuries that either cannot or choose not to access crypto through publicly listed ETFs. This distinction matters enormously for understanding the true state of institutional demand, which headline ETF flow data alone systematically understates.

The scale of this hidden layer has grown dramatically. Institutional crypto spot OTC trading rose 109% year-over-year in 2025, according to data from Finery Markets, as large players increasingly favored the price certainty, reduced market impact, and counterparty discretion that OTC desks offer over exchange-based trading. BlackRock’s $140 million deposit into Coinbase Prime earlier today is one visible example of this dynamic — a transaction that occurred entirely off-exchange and would not appear in any ETF flow report.​

The $13 billion figure reframes this week’s narrative. The surface-level story — ETF outflows, fear readings, post-FOMC selling — has been unambiguously negative. But beneath it, a parallel institutional market has continued to absorb and deploy capital at a scale that dwarfs the retail-visible flows. This divergence between what the ETF dashboard shows and what is actually moving through institutional rails has become one of the defining features of the 2026 crypto market structure.

It also reflects a broader maturation of the ecosystem. Early institutional Bitcoin exposure was almost entirely channeled through Grayscale’s GBTC or other listed vehicles. Today, the institutional toolkit includes prime brokerage, segregated custody, structured notes, repo-backed leverage products, and direct OTC block trades — each serving different risk, regulatory, and operational requirements. US spot Bitcoin ETFs, for all their profile, now represent just one of many on-ramps.

For market observers, the practical implication is clear: judging the health of institutional crypto demand by ETF flows alone produces a distorted picture. The real money — sovereign funds, large family offices, multi-strategy hedge funds — has always operated in the shadows of the ledger, and the $13 billion moving through those channels this week suggests that conviction among the largest players remains considerably more intact than the fear index of 28 might imply.

Solana Foundation president Lily Liu said blockchain gaming is dead in an X post today, March 20. A later, self-proclaimed “shitpost” from the Foundation’s chief product officer poked fun at Liu’s statement, but the original post had already set off a wave of comments, both criticizing Liu’s take, and defending the future of web3 gaming.

Liu’s statement, which reads “Also, gaming on a blockchain is not coming back,” was a response to a March 18 X post from Polymarket claiming, somewhat misleadingly, that Meta is shutting down its metaverse division.

In what appears to be an act of self-aware irony, as of today, Liu’s X bio also says she is not only president, but also the “head of gaming” at Solana Foundation, a title that is absent from the exec’s LinkedIn and other profile bios.

No such role appears in any official Solana Foundation communications or staff listings The Defiant could find, strongly suggesting the title was meant to be ironic.

X account Solana Gaming added to the confusion with a post congratulating Liu on her new role as the Foundation’s head of gaming.

Liu has been notably dismissive of the blockchain gaming meta in recent months. In a more extended X post on Feb. 5, Liu said blockchain networks should focus on finance and tech for core use cases, writing:

“I am happy the misadventures around things like gaming in particular are fully dead and over.”

The Solana Foundation president continued, “This blockchain adventure has always been about finance: open financial rails for anyone and everyone on the internet.”

As The Defiant reported last April, MagicBlock’s $7.5 million seed round to build real-time gaming infrastructure on Solana was backed by Solana co-founder Anatoly Yakovenko himself.

Web3 Gaming’s Struggle

As The Defiant reported previously, blockchain-based and crypto-integrated games have struggled to sustain demand. While monthly investments in web3 gaming projects were in the tens of millions of dollars last year, per data from DappRadar, that interest is far lower than capital flows during the sector’s peak in 2021, when blockchain games raked in a total of $4 billion from venture capital firms.

Is Meta’s Metaverse Also Dead?

The Polymarket post about Meta’s metaverse shutdown, which Liu’s post today was a response to, was itself notably misleading. As WIRED reported yesterday, what Meta, the parent company of Facebook, WhatsApp, and Instagram, actually announced was the shutdown of its online, multi-player game Horizon Worlds in VR, reportedly via an email to users on Tuesday. Horizon Worlds, which is also referred to as a metaverse platform, is a project developed by Reality Labs, Meta’s metaverse arm.

However, the tech giant then quickly reversed course, with CTO Andrew Bosworth just days later stating that, in response to users, the company had decided to keep Horizon Worlds running in VR to support existing games and fans, though with limited support, and no new games or major investments.

This article was written with the assistance of AI workflows. All our stories are curated, edited and fact-checked by a human.

Coinbase on Friday rolled out perpetual futures contracts tied to U.S. equities, becoming one of the first major centralized exchanges to offer the product and expanding its derivatives lineup beyond crypto.

The contracts cover all seven Magnificent 7 stocks — Apple, Microsoft, Alphabet, Amazon, Nvidia, Meta, and Tesla — as well as ETF perpetuals tracking the S&P 500 (SPY) and Nasdaq-100 (QQQ) in select jurisdictions. They are available to eligible non-U.S. retail users on Coinbase Advanced and to institutions on Coinbase International Exchange.

The contracts trade around the clock, are cash-settled in USDC, and offer up to 10x leverage on individual stocks and 20x on ETF products. Like crypto perpetuals, they have no expiration date and use a funding rate mechanism to track spot prices.

Competing With DeFi

The launch positions Coinbase against decentralized platforms that have already built significant traction in equity-linked perpetuals. TradeXYZ, the perpetuals arm of Hyperliquid tokenization layer Unit, has crossed $1.4 billion in open interest and routinely processes more than $1 billion in daily volume, according to DeFiLlama.

Earlier this week, the platformlanded a license from S&P Dow Jones Indices to launch the first officially sanctioned S&P 500 perpetual futures contract on-chain — a milestone that lends institutional credibility to the DeFi side of the equity perps market.

Coinbase acknowledged in itsblog post that much of the demand for continuous equity exposure has been concentrated on decentralized venues.

The launch follows Coinbase’s recent push into European derivatives, where its MiFID-regulated entity began offering crypto futures across 26 countries earlier this month. The company said it plans to expand the lineup over time, adding more equities, indices, commodities, and other globally traded assets.

This article was written with the assistance of AI workflows. All our stories are curated, edited and fact-checked by a human.

The two U.S. senators negotiating a controversial provision in the crypto industry’s market structure bill — Republican Thom Tillis and Democrat Angela Alsobrooks — have reportedly agreed on a compromise that could advance the industry’s top priority to the next stage in the Senate.

The two were reported by Politico to have agreed in principle on an approach to stablecoin yield in the Digital Asset Market Clarity Act, and that potentially knocks down one of the top unresolved issues in the wide-ranging bill. Still, no further details emerged, other than Alsobrooks reiterating that the yield accord would bar rewards on passive balances of stablecoins.

Bankers had argued that stablecoin rewards on holdings of the U.S. dollar-tied tokens could closely resemble interest on bank deposits, and any threat to that core component of U.S. banking could put lending at risk. Both Alsobrooks and Tillis had agreed to find an approach that wouldn’t threaten banking.

“Sen. Tillis and I do have an agreement in principle,” Alsobrooks told Politico on Friday. “We’ve come a long way. And I think what it will do is to allow us to protect innovation, but also gives us the opportunity to prevent widespread deposit flight.”

The White House was reviewing updated legislative text on Thursday, CoinDesk previously reported. White House officials didn’t immediately respond to a request for comment on the Friday development.

Industry insiders have told CoinDesk that they were aware of a new compromise, but they haven’t yet seen the legislative text that the senators agreed on.

Though the stablecoin question was at the forefront of the Clarity Act negotiations, there remain a number of other points to iron out, including the bill’s treatment of decentralized finance (DeFi), a corner of the sector in which some Democrats had expressed unease over illicit finance.

Lawmakers have suggested in recent days that the Clarity Act could get a Senate Banking Committee hearing late next month. If it’s approved there, it advances toward the Senate floor, though it first needs to be melded with a similar version that already passed in the Senate Agriculture Committee.

Senator Cynthia Lummis, the Republican atop the banking panel’s crypto subcommittee, said earlier this week she expected a hearing in the latter half of April. She posted on image Friday on social media site X that depict a “yield” sign.

Advocates have been hoping for a May resolution of the years-long legislative effort. But Senate floor time is at a premium, and it’s under some threat from unrelated issues, such as the Republican’s voter-ID bill and the back-and-forth over the war in Iran.

Read More: Key U.S. senator on crypto market structure bill negotiation: ‘We think we’ve got it’

UPDATE (March 20, 2026, 15:36 UTC): Adds quote from Senator Alsobrooks and tweet from Senator Lummis.

Google just disclosed a vulnerability that targets iPhone crypto wallets and could have affected an estimated 270 million Apple devices.

The DarkSword exploit, which strings together multiple zero-day vulnerabilities, is still live today and affects iPhones running iOS 18.4 through 18.7, updates that were released between April and September last year.

Up-to-date Apple devices use iOS 26.3.1. However, because many people don’t automatically upgrade, 24% of all iPhones still use iOS 18 according to Apple’s own data.

DarkSword allows hackers to orchestrate six vulnerabilities together to silently compromise devices, dump their Keychain databases, and vacuum up crypto wallet data. 

Frequently targeted apps by DarkSword hackers include crypto wallets MetaMask, Phantom, and dozens of others by Coinbase, Ledger, and more. Visiting a poisoned website in Safari is all it takes to trigger the attack.

Google’s Threat Intelligence Group has observed Russian state-linked hackers, a Turkish surveillance vendor, and another threat cluster wielding DarkSword against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.

Institutional demand for crypto is holding up despite ongoing turbulence, with new data showing large investors are preparing to increase allocations even after the market’s sharp sell-off since October.

At the same time, stablecoins are gaining traction across both retail and institutional channels. Japan is moving ahead with regulated USDC (USDC) lending products, while new models tied to real-world assets are beginning to take shape.

Elsewhere, crypto companies continue to tap traditional capital markets, with Abra pursuing a public listing via a special purpose acquisition company (SPAC) deal.

Together, the latest developments point to a market that is still expanding through regulated pathways, even as price volatility and regulatory uncertainty persist.

Institutional investors double down on crypto

Despite recent volatility and a 40% crypto market sell-off since October, institutional investors are preparing to increase their digital asset exposure, with most expecting prices to rise over the next 12 months. 

A January survey of 351 investors by Coinbase and EY-Parthenon found that 73% plan to buy more digital assets this year, while 74% expect prices to move higher.

Bitcoin (BTC) and Ether (ETH) remain the primary entry points, but interest is expanding into stablecoins and tokenized assets. Two-thirds of respondents said they prefer gaining exposure through regulated vehicles such as exchange-traded products.

The data points to steady institutional demand, with capital continuing to move through structured, compliant channels despite market turbulence.

SBI rolls out retail USDC lending in Japan

SBI VC Trade is expanding stablecoin use in Japan with the launch of a retail USDC lending service, as regulated access to dollar-backed tokens gains traction. The move follows recent regulatory changes that allow licensed companies to handle foreign stablecoins, such as Circle-issued USDC.

The platform enables users to lend USDC in exchange for yield, marking one of the first retail-facing products of its kind in Japan. SBI, a major financial group, has been building out its crypto offering within the country’s regulated framework.

The rollout highlights how stablecoins are moving beyond trading into regulated financial products, particularly in markets where legal clarity has already been established.

Abra targets Nasdaq listing through SPAC deal

Crypto wealth manager Abra is planning to go public through a merger with New Providence Acquisition Corp., in a deal that values the combined entity at around $750 million. The company is expected to list on Nasdaq under the ticker ABRX.

Abra has shifted its focus toward wealth management services, including trading, custody and yield products, following regulatory challenges tied to its earlier lending operations. The SPAC route offers a faster path to public markets at a time when traditional IPO activity remains limited.

The deal reflects continued efforts by crypto companies to access public capital, even as regulatory scrutiny and market conditions remain uneven.

Theo launches $100M gold-linked yield stablecoin vault

Tokenization platform Theo has unveiled a $100 million vault tied to a gold-linked, yield-bearing stablecoin, designed to combine price stability with onchain returns. The structure links the token’s value to gold while offering yield to users.

The model introduces a hybrid approach that blends commodity backing with onchain financial mechanisms, reflecting broader efforts to bring real-world assets into crypto markets. Gold serves as the underlying collateral, offering an alternative to fiat-backed stablecoins.

The product highlights growing experimentation around yield-bearing stablecoins, as developers look to expand their role beyond simple price stability.

Crypto Biz is your weekly pulse on the business behind blockchain and crypto, delivered directly to your inbox every Thursday.