Security researchers at Google’s Threat Intelligence Group (GTIG) have uncovered a powerful hacking toolkit known as Coruna, capable of compromising Apple iPhones and stealing sensitive information — including cryptocurrency wallet data and recovery phrases. The discovery has raised new concerns about mobile security as attackers increasingly target crypto holders directly through their smartphones.
The exploit kit uses 23 different vulnerabilities combined into five exploit chains, allowing attackers to bypass Apple’s security protections and silently install malware on affected devices.
A Sophisticated iPhone Exploit Kit
Coruna targets iPhones running iOS versions 13 through 17.2.1, exploiting weaknesses in the operating system to gain full control of a device after a victim visits a malicious website or interacts with compromised web content.
Unlike many cyberattacks that rely on phishing links or downloads, this exploit can work simply by visiting a compromised site, making it far more dangerous and difficult to detect.
Once the malware is installed, attackers can extract sensitive data from the device, including:
Cryptocurrency wallet files
Seed phrases and backup codes
Banking and financial information
Messages and personal files
The malware can also scan device storage for keywords such as “backup phrase” or “bank account” in order to locate valuable financial data.
From Surveillance Tool to Crypto Theft
Researchers say Coruna did not begin as a typical cybercriminal toolkit. The exploit framework appears to have originally been used for high-level surveillance and espionage operations before eventually falling into the hands of financially motivated hackers.
Google’s investigation found the toolkit moving through several stages:
Initially used by a surveillance vendor’s client in targeted attacks.
Later deployed in state-linked espionage campaigns, including operations targeting Ukrainian websites.
Eventually adopted by a Chinese cybercrime group that repurposed the tool for cryptocurrency theft.
At that stage, attackers began distributing the exploit through fake gambling and crypto websites, aiming to infect visitors and steal their digital assets.
A Rare Mass-Scale iPhone Attack
Mass exploitation of iPhones is unusual because Apple’s mobile ecosystem is generally considered one of the most secure consumer platforms.
However, security researchers say Coruna represents one of the first known exploit kits capable of compromising iPhones at scale, potentially affecting tens of thousands of devices globally.
Some researchers believe the toolkit may have originated from nation-state-level development, given the complexity of its code and the number of vulnerabilities involved.
How Users Can Protect Themselves
Security experts recommend several steps for reducing the risk of infection:
Update iPhones to the latest iOS version
Avoid visiting suspicious websites or downloading unknown apps
Enable Apple’s Lockdown Mode for additional protection against advanced spyware
Many of the vulnerabilities exploited by Coruna have already been patched in newer versions of iOS, meaning updated devices are significantly safer.
