Google’s Threat Intelligence Group has identified a sophisticated iOS exploit kit capable of stealing cryptocurrency wallet seed phrases, financial data, and credentials from iPhone users who visit compromised or fraudulent websites.
The kit, named Coruna by its developers, targets iPhones running iOS versions 13.0 through 17.2.1. According to Google Threat Intelligence Group (GTIG), it contains five full iOS exploit chains and a total of 23 exploits, including several that were previously unknown to the public. GTIG published its findings on Wednesday.
How the Kit Works
GTIG first encountered the kit in February 2025, when a customer of an unnamed surveillance company used JavaScript to fingerprint devices before delivering an appropriate exploit. The same JavaScript framework later appeared on multiple compromised Ukrainian websites, delivered selectively to iPhone users from specific geographic locations.
In December, researchers found the framework embedded across a large set of fake Chinese websites focused on finance. One site spoofed the crypto exchange WEEX. When an iPhone user loads these pages, the exploit kit activates and begins scanning for financial data, searching messages for seed phrases and keywords like “backup phrase” and “bank account.”
The kit also targets specific crypto applications directly, including Uniswap and MetaMask, extracting stored credentials or crypto holdings where possible.
Affected Devices and Recommended Steps
GTIG confirmed that Coruna does not work against the latest version of iOS. The group urged all iPhone users to update their devices immediately. For those unable to update, Apple’s Lockdown Mode was recommended as a countermeasure, as Apple says the feature is designed to resist sophisticated attacks of this type.
More Read
Disputed Origins
The origins of Coruna have drawn conflicting assessments from security researchers. GTIG did not identify the surveillance company customer from which the kit is believed to have originated. Mobile security firm iVerify told WIRED the tool may have been developed or procured by the US government.
“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” said Rocky Cole, co-founder of iVerify. “This is the first example we’ve seen of very likely US government tools — based on what the code is telling us — spinning out of control and being used by both our adversaries and cybercriminal groups.”
Kaspersky pushed back on that assessment. The firm’s principal security researcher told The Register there was “no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors.”
Broader Pattern of Use
GTIG tracked Coruna’s deployment across two distinct contexts: a suspected Russian espionage group targeting Ukrainians, and later a separate campaign using fake Chinese crypto websites to steal financial data. The same underlying framework connecting both campaigns suggests the kit has migrated beyond its original use case, regardless of who built it.
The crypto-targeting campaign represents a direct threat to retail users, particularly those accessing exchange sites or managing wallets on mobile devices without the latest software protections installed.
Disclaimer: The information provided in this article is for educational and informational purposes only and does not constitute financial or investment advice.
Photo by Ewan Kennedy on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
