Google Exposes “Coruna” Exploit Kit That Could Turn iPhones Into Crypto-Stealing Targets

Security researchers at Google’s Threat Intelligence Group (GTIG) have uncovered a powerful hacking toolkit known as Coruna, capable of compromising Apple iPhones and stealing sensitive information — including cryptocy wallet data and recovery phrases. The discovery has raised new concerns about mobile security as attackers increasingly target crypto holders directly through their smartphones. 

The exploit kit uses 23 different vulnerabilities combined into five exploit chains, allowing attackers to bypass Apple’s security protections and silently install malware on affected devices. 

A Sophisticated iPhone Exploit Kit

Coruna targets iPhones running iOS versions 13 through 17.2.1, exploiting weaknesses in the operating system to gain full control of a device after a victim visits a malicious website or interacts with compromised web content. 

Unlike many cyberattacks that rely on phishing links or downloads, this exploit can work simply by visiting a compromised site, making it far more dangerous and difficult to detect. 

Once the malware is installed, attackers can extract sensitive data from the device, including:

• Cryptocy wallet files

• Seed phrases and backup codes

• Banking and financial information

• Messages and personal files

The malware can also scan device storage for keywords such as “backup phrase” or “bank account” in order to locate valuable financial data. 

From Surveillance Tool to Crypto Theft

Researchers say Coruna did not begin as a typical cybercriminal toolkit. The exploit framework appears to have originally been used for high-level surveillance and espionage operations before eventually falling into the hands of financially motivated hackers. 

Google’s investigation found the toolkit moving through several stages:

1. Initially used by a surveillance vendor’s client in targeted attacks.

2. Later deployed in state-linked espionage campaigns, including operations targeting Ukrainian websites.

3. Eventually adopted by a Chinese cybercrime group that repurposed the tool for cryptocy theft. 

At that stage, attackers began distributing the exploit through fake gambling and crypto websites, aiming to infect visitors and steal their digital assets. 

A Rare Mass-Scale iPhone Attack

Mass exploitation of iPhones is unusual because Apple’s mobile ecosystem is generally considered one of the most secure consumer platforms.

However, security researchers say Coruna represents one of the first known exploit kits capable of compromising iPhones at scale, potentially affecting tens of thousands of devices globally. 

Some researchers believe the toolkit may have originated from nation-state-level development, given the complexity of its code and the number of vulnerabilities involved. 

How Users Can Protect Themselves

Security experts recommend several steps for reducing the risk of infection:

• Update iPhones to the latest iOS version

• Avoid visiting suspicious websites or downloading unknown apps

• Enable Apple’s Lockdown Mode for additional protection against advanced spyware

Many of the vulnerabilities exploited by Coruna have already been patched in newer versions of iOS, meaning updated devices are significantly safer.