Security researchers at Google’s Threat Intelligence Group (GTIG) have uncovered a powerful hacking toolkit known as Coruna, capable of compromising Apple iPhones and stealing sensitive information — including cryptocy wallet data and recovery phrases. The discovery has raised new concerns about mobile security as attackers increasingly target crypto holders directly through their smartphones.
The exploit kit uses 23 different vulnerabilities combined into five exploit chains, allowing attackers to bypass Apple’s security protections and silently install malware on affected devices.
Coruna targets iPhones running iOS versions 13 through 17.2.1, exploiting weaknesses in the operating system to gain full control of a device after a victim visits a malicious website or interacts with compromised web content.
Unlike many cyberattacks that rely on phishing links or downloads, this exploit can work simply by visiting a compromised site, making it far more dangerous and difficult to detect.
Once the malware is installed, attackers can extract sensitive data from the device, including:
Cryptocy wallet files
Seed phrases and backup codes
Banking and financial information
Messages and personal files
The malware can also scan device storage for keywords such as “backup phrase” or “bank account” in order to locate valuable financial data.
Researchers say Coruna did not begin as a typical cybercriminal toolkit. The exploit framework appears to have originally been used for high-level surveillance and espionage operations before eventually falling into the hands of financially motivated hackers.
Google’s investigation found the toolkit moving through several stages:
Initially used by a surveillance vendor’s client in targeted attacks.
Later deployed in state-linked espionage campaigns, including operations targeting Ukrainian websites.
Eventually adopted by a Chinese cybercrime group that repurposed the tool for cryptocy theft.
At that stage, attackers began distributing the exploit through fake gambling and crypto websites, aiming to infect visitors and steal their digital assets.
Mass exploitation of iPhones is unusual because Apple’s mobile ecosystem is generally considered one of the most secure consumer platforms.
However, security researchers say Coruna represents one of the first known exploit kits capable of compromising iPhones at scale, potentially affecting tens of thousands of devices globally.
Some researchers believe the toolkit may have originated from nation-state-level development, given the complexity of its code and the number of vulnerabilities involved.
Security experts recommend several steps for reducing the risk of infection:
Update iPhones to the latest iOS version
Avoid visiting suspicious websites or downloading unknown apps
Enable Apple’s Lockdown Mode for additional protection against advanced spyware
Many of the vulnerabilities exploited by Coruna have already been patched in newer versions of iOS, meaning updated devices are significantly safer.
The crypto market is entering the end of an era as CME Group officially launches 24/7 Bitcoin and…
Asset management giant VanEck has officially launched the first-ever U.S. spot ETF tied directly to BNB, the native…
Layer-1 blockchain Sui experienced another major network outage on May 28 after block production and transaction processing…
The Depository Trust & Clearing Corporation (DTCC) has announced plans to connect its tokenization infrastructure to the Stellar blockchain,…
Robinhood is officially entering the “agentic AI” era after unveiling a new beta feature that…
Bitcoin financial services company Fold has officially begun rolling out its long-awaited Bitcoin rewards credit card, allowing…