Exploit toolkits capable of chaining multiple zero-day vulnerabilities have historically been the preserve of intelligence agencies — expensive to build, carefully guarded, and deployed against specific high-value targets. The Coruna exploit kit breaks that pattern entirely.
According to a Google TAG report, Coruna chains 23 distinct iOS vulnerabilities to silently compromise iPhones and drain cryptocurrency wallets. The attack covers devices running iOS 13.0 through 17.2.1 and requires only a single user action: visiting a compromised website. Those sites frequently impersonate gambling platforms or news outlets. Once the browser loads the page, the kit exploits WebKit flaws to breach the device, then uses local privilege escalation to escape the browser sandbox entirely.
What follows is automated and methodical. The malware scans the device’s file system for cryptocurrency-related strings, queries the photo library for QR codes containing wallet addresses, and extracts mnemonic seed phrases stored in the Notes app. It targets the encrypted vaults of MetaMask, Trust Wallet, and BitKeep (now rebranded as Bitget Wallet) directly. If the vault encryption is weak, or if credentials were stored in a compromised keychain or note, the wallet empties before the user registers that anything has occurred.
State Tools, Criminal Hands
The lineage of Coruna’s techniques is significant. The report draws a connection to Operation Triangulation, a suspected state-sponsored iOS attack campaign. The sophistication embedded in Coruna was previously the kind of capability hoarded by entities like NSO Group for surveillance of journalists, dissidents, and diplomats — not retail crypto theft. That boundary has now dissolved. Financially motivated criminal groups have obtained and repackaged these techniques, collapsing the barrier to executing attacks that once required nation-state resources.
Security firm iVerify documented the exploit affecting at least 42,000 devices, with total financial losses not yet disclosed. The broader market context adds weight to that figure: Chainalysis reported in 2025 that the crypto theft market is valued at over $75 billion, with wallet drainers accounting for a substantial portion of that total.
Who Is Actually at Risk
The target profile is specific: mobile users who hold self-custody wallets and interact with decentralized applications on the go. Mobile traders frequently prioritize transaction speed over security discipline — connecting to DApps, signing transactions, and browsing token claim pages from the same device they use for everything else. Coruna does not require a user to approve a malicious transaction. It bypasses that layer completely and extracts the private keys directly.
More Read
The attack vectors tend to cluster around content crypto users already visit: unregulated gambling interfaces, third-party app stores, and unofficial token distribution pages. The malware needs no further social engineering once the compromised URL loads.
The immediate mitigation the report points to is straightforward: update iOS to the latest available version, since 17.2.1 is the ceiling of confirmed affected versions, and migrate holdings from mobile hot wallets to hardware cold storage devices such as a Ledger or Trezor. Seed phrases should not exist in any form on a networked device — not in notes, not in photos, not in cloud-synced storage.
Disclaimer: The information provided in this article is for educational and informational purposes only and does not constitute financial or investment advice.
Photo by Ionela Mat on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
