- Trending
- Comments
- Latest
Google’s Threat Intelligence Group warned on Tuesday, that a sophisticated iPhone exploit kit called Coruna has been actively targeting cryptocurrency users, combining 23 separate vulnerabilities to steal wallet seed phrases and login credentials.
The toolkit, which may have government origins, has already been deployed across fake financial websites and affects iPhones running iOS versions 13.0 through 17.2.1.
The exploit kit dubbed Coruna is designed to break into iPhones running older versions of Apple’s iOS operating system, specifically versions 13.0 through 17.2.1.
According to Google researchers, the framework combines 23 separate vulnerabilities and five full exploit chains that allow attackers to bypass Apple’s security protections and silently install malware.
Once deployed, the exploit allows hackers to extract sensitive information from infected devices, including cryptocurrency wallet data, login credentials, and private messages.
“The framework surrounding the exploit kit is extremely well engineered. The exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.” Google researchers said in their technical analysis.
Researchers first identified Coruna in February 2025, when the exploit was used in a targeted surveillance campaign.
Since then, it has evolved into a tool used by cybercriminal groups for financial theft.
Security experts warn that the sophistication of the toolkit suggests it required significant funding and advanced engineering capabilities.
One of the most alarming discoveries is how the exploit is being distributed.
According to Google researchers, hackers embedded malicious JavaScript code on fake cryptocurrency and finance-related websites that impersonate legitimate services.
When an iPhone user visits one of these pages, the site fingerprints the device and delivers the appropriate exploit chain to compromise the phone.
Once the malware is installed, it begins scanning the device for sensitive financial data.
This includes:
The malware can then exfiltrate the data to remote servers controlled by attackers, potentially giving them full access to victims’ digital assets.
Researchers say the campaign expanded rapidly in late 2025 when hundreds of Chinese-language websites linked to finance and cryptocurrency were found hosting the malicious framework.
In some cases, the attacks required nothing more than visiting a compromised webpage, making them significantly harder to detect or avoid.
Another controversial aspect of the Coruna toolkit is its suspected origin.
Cybersecurity firm iVerify analyzed the code and found similarities with components used in previous state-level cyber operations.
This has led some researchers to speculate that the toolkit may have originated from a government surveillance program before leaking into criminal networks.
“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the U.S. government.” Rocky Cole, Co-founder, iVerify, said.
Other security researchers remain cautious about attributing the tool’s origin.
Experts from Kaspersky said they found no conclusive evidence linking the exploit directly to any specific government developer.
Google warned that the spread of such tools could create an EternalBlue-style moment for mobile devices, referencing the infamous leaked exploit that triggered the global WannaCry ransomware attacks.
Cybersecurity experts stress that the risk primarily affects older iPhones running outdated iOS versions.
Devices updated to the latest operating system are not vulnerable to the Coruna exploit.
Google recommends several immediate steps to protect devices:
The attack underscores the importance of securing private keys and using hardware wallets or offline storage for significant holdings.
As mobile devices increasingly serve as gateways to digital assets, cybersecurity analysts warn that advanced exploit kits like Coruna could become a growing threat to retail crypto investors worldwide.
Copyright © 2025 - The Bit Gazette.
