Leaked government-grade iPhone hacking tools now used to steal crypto and data from users
Tens of thousands of iPhones may have been infected by a leaked exploit framework once tied to spies
by Skye Jacobs · TechSpotServing tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
What we know so far: A powerful iOS exploit framework that once appeared to sit in the orbit of government surveillance work is now being reused in criminal schemes to drain cryptocurrency wallets and loot data from ordinary iPhone users. The exploit framework, dubbed Coruna, illustrates how government-grade tools can leak, mutate and reappear in the hands of foreign intelligence services and profit-driven crews.
According to new technical analyses from Google and mobile security firm iVerify, Coruna's technical core comprises five complete exploit chains and 23 distinct iOS vulnerabilities that bypass most of the major software defenses Apple has shipped in versions 13 through 17.2.1, effectively turning a web page into a silent infection vector for unpatched devices.
Google's Threat Intelligence Group says the kit targets Apple's WebKit browser engine, enabling drive-by compromise of any web browser on older iOS builds, using non-public exploitation tricks and mitigation bypasses that point to a well-funded, state-aligned developer with a deep understanding of Apple's security model.
The exploitation pipeline begins with JavaScript logic that fingerprints the device model, OS version, and patch level, before selecting one of several chains to escalate from browser context to kernel-level control and install a loader component with root privileges.
Google first saw fragments of Coruna in February of last year, when an unnamed "customer of a surveillance company" deployed related techniques, suggesting the code originated as a bespoke spying capability rather than a commodity exploit pack.
By July, a more complete incarnation surfaced in an espionage operation attributed to a suspected Russian intelligence group, which buried the exploit in a common visitor-counting widget on Ukrainian websites in order to quietly compromise selected iPhone users based on geography.
// Related Stories
- Claude is the top free app on iPhone right now, and the Pentagon drama is basically why
- Hackers can now track your car's location through tire pressure sensors
Later, Coruna appeared again in a very different context: mass infection campaigns targeting Chinese-language cryptocurrency and gambling sites, where any iOS visitor running a vulnerable build risked malware being pushed onto their device.
Both Google and iVerify note that Coruna's codebase overlaps with components from "Triangulation," an iOS operation uncovered in 2023 that targeted Russian cybersecurity firm Kaspersky and was publicly blamed on the US National Security Agency by Russian authorities, though Washington never commented on the allegation.
iVerify cofounder Rocky Cole, a former NSA staffer, argues that the code appears to have been authored by English-speaking developers and bears the same engineering fingerprints as modules previously linked in public reporting to US government programs. In his view, Coruna is the first convincing example of an iOS framework that was very likely built for or sold to a US customer, then escaped into wider circulation and was repurposed by adversarial states and cybercrime groups.
Cole compares the moment to the leak of EternalBlue, the Windows exploit attributed to the NSA that was stolen and later weaponized in the WannaCry and NotPetya outbreaks. Google's report warns that even though Apple has patched the known Coruna vulnerabilities in current iOS releases, the underlying techniques – heap-shaping patterns, sandbox escapes, and mitigation-bypass strategies – are now available to multiple independent groups, which can adapt them to new bugs over time.
That proliferation underscores what Google calls a growing "second-hand" market for zero-day exploit frameworks, where tools originally developed for government buyers later move through brokers and intermediaries into broader use.
iVerify estimates that tens of thousands of phones were compromised in just one of the criminal campaigns built on top of Coruna. Working with a partner that monitors network telemetry, the company counted connections to a command-and-control server associated with the Chinese-language operation and inferred that around 42,000 unique devices may have been infected by the monetization layer alone, excluding earlier espionage deployments.
In samples from the Chinese-facing infrastructure, iVerify found that Coruna had been adapted to deliver a payload focused on financial theft and data exfiltration rather than pure surveillance. Once the exploit chain succeeds, a loader component deploys add-on code that searches for crypto wallets, harvests exchange credentials, and, for some users, can also grab photos and email data.
iVerify chief product officer Spencer Parker says the exploit framework itself is polished and internally consistent, while the criminal add-ons that sit on top of it are comparatively crude, reinforcing the idea that a different, less skilled actor bolted its own malware onto a pre-existing, highly engineered platform.
Cole stresses that he is not drawing on any confidential government knowledge, having left the NSA more than a decade ago, but instead on open technical indicators and the public record around nation-state exploit development.
If Coruna traces back to the US ecosystem, the question becomes how such a framework ended up in foreign and criminal hands. Cole points to an opaque marketplace of exploit brokers who pay substantial sums for zero-day chains and then resell them to intelligence services, law-enforcement buyers and, in some cases, private clients that include cybercriminals.
The recent sentencing of Peter Williams, an executive at US defense contractor Trenchant, illustrates how those channels can blur: Williams admitted to stealing at least eight zero-day exploits from his employer – whose customers included US and Australian intelligence – and selling them to a Russian broker called Operation Zero. Prosecutors say the theft caused around $35 million in losses and led the US Treasury to sanction the brokerage.
Cole characterizes many exploit brokers as fundamentally opportunistic, willing to "double dip" and sell to multiple customers without exclusive agreements so long as buyers are prepared to pay a premium. In his reading, Coruna likely followed that pattern: a powerful iOS framework or component set ended up in the inventory of an exploit broker outside Western intelligence networks, then moved on to state-aligned groups and e-crime operators until it finally surfaced in mass exploitation of ordinary users.