Apple Scrambles to Patch Critical Crypto-Stealing Zero-Day Vulnerability

Apple just dropped emergency patches after discovering a critical vulnerability actively exploiting crypto wallets. The zero-day flaw lets attackers bypass security protocols and drain digital assets with frightening efficiency.

How the exploit works

The vulnerability targets Apple's cryptographic frameworks—allowing malicious actors to intercept transactions and redirect funds without triggering standard security alerts. No physical access required. Just one cleverly crafted transaction and your Bitcoin could vanish.

Who's affected?

Any iOS or macOS user with cryptocurrency wallets installed. That's millions of devices suddenly vulnerable. Apple's rushed patches cover iPhone, iPad, and Mac—but the real question is how long this exploit circulated undetected.

Timing is everything

Another 'coincidental' crypto vulnerability right as institutional money floods into ETFs. How convenient that retail investors keep getting hacked while Wall Street's custodial solutions remain untouched.

In brief

• An ImageIO vulnerability allowed code execution via image, no user click needed.
• Apple published urgent patches covering iOS, macOS and iPadOS against this threat.
• Malwares exploit photo galleries to steal recovery phrases and wallet QR codes.
• Experts recommend switching to a cold wallet and restricting access to sensitive photos.

When Apple becomes the weak link in your security 

Urgency signaled in November: an Apple vulnerability endangered your cryptos. It was in response to this threat that, on August 20, 2025, Apple published a series of patches for iOS, iPadOS, and macOS, targeting a critical vulnerability referenced CVE-2025-43300. This vulnerability in ImageIO allowed a malicious image to corrupt the device’s memory. No click required. No opening necessary.

Apple acknowledged the existence of a highly sophisticated attack targeting specific individuals.

Even more worrying, image processing could be triggered automatically via iMessage or web content.

The affected versions:

• iOS 18.6.2 / iPadOS 18.6.2;
• macOS Ventura 13.7.8;
• macOS Sonoma 14.7.8;
• macOS Sequoia 15.6.1.

The CVSS score of the bug: 8.8/10. Crypto then becomes easy prey for malicious actors, and mobile wallet holders are on the front line.

When your photo gallery turns into a target for crypto theft

For a few years now, we know cybercriminals never sleep. But now, they innovate. Tools like SparkCat or SparkKitty use OCR to read your images. Their favorite target? Recovery phrases, crypto wallet QR codes, copied/pasted addresses.

An infected image serves as an anchor point. Then, everything becomes possible: accessing the gallery, reading photos, scrutinizing the clipboard.

Some cybersecurity researchers, like Juliano Rizzo from Coinspect, pointed out that the danger comes as much from the vulnerability as from our bad habits. Storing your recovery phrase in a screenshot or visible image is giving malwares a royal road to your assets. At that point, it’s no longer hacking—it’s simply harvesting what users left exposed. Malicious tools just have to extract what you left in plain sight.

The precedent with Blastpass in 2023 had already shown that an image vulnerability could trigger attacks without clicks. The pattern repeats.

Moral of the story? If your cryptos sleep on an Apple mobile, it’s time for a thorough check: photo permissions, clipboard access, and especially… cold wallet.

What this Apple vulnerability really hides

The ImageIO vulnerability is only the tip of the iceberg. This critical bug, exploited without a click, illustrates a deeper problem: the digital passivity into which we settle. On iOS, some images are automatically processed upon receipt. A convenient feature that, in this case, created an entry point for attackers.

Apple remains silent about the exact vector, but experts suspect automatic processing via iMessage or Safari. And while we talk about crypto, the entire ecosystem becomes a battleground. Every vulnerability, every user behavior becomes an opportunity.

Juliano Rizzo from Coinspect reminds that the absence of user action is what makes this kind of attack so formidable. When a device works for you… it can also work against you.

And if we look at the 2025 figures, the trend is far from reassuring.

What the 2025 figures reveal: 

• 7 zero-day vulnerabilities detected on Apple products;
• 16 billion passwords leaked in a single breach;
• 30 databases massively compromised;
• 70% of recovered credentials still active according to CyberNews.

Everything is (temporarily) under control, but the lull fools no one. While this crypto attack was contained thanks to updates, other fronts are opening. A recent leak exposed more than 16 billion passwords, affecting Apple, Google, Facebook. Proof that ingenuity is not only found among coders… but also among those who collect your traces to better strip you.

Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.