Google Uncovers “Coruna” – A Potent iPhone Exploit Kit Targeting Crypto Wallets
Researchers say the kit, which bundles dozens of iOS vulnerabilities, has been employed by both state‑linked actors and cyber‑criminals to harvest cryptocurrency seed phrases and other financial data.
The discovery
The Google Threat Intelligence Group (GTIG) released a detailed report on Wednesday describing a sophisticated iOS exploit framework it has dubbed Coruna. The toolkit is capable of compromising iPhones running iOS 13.0 through 17.2.1. According to GTIG, Coruna contains five full exploit chains and a total of 23 individual vulnerabilities, several of which have not been seen publicly before.
GTIG says the first samples were spotted in February 2025. Since then the group has traced its activity to at least two distinct threat actors:
- A suspected Russian espionage unit – initially used the kit to target Ukrainian users.
- Organised cyber‑crime groups – later repurposed the exploits on counterfeit Chinese finance websites, many of which masquerade as legitimate crypto services.
The kit is delivered via a JavaScript‑based fingerprinting framework that detects the victim’s iOS version and geographic location before dropping the appropriate payload.
How the kit works against crypto users
When an iPhone visits a compromised site, the JavaScript routine silently probes the device for exploitable weaknesses. If a suitable flaw is found, the Coruna chain is executed, giving the attacker code execution at the operating‑system level.
Once the phone is compromised, the malware performs a focused search for cryptocurrency‑related information:
- Seed phrases and backup keywords – it scans text fields, notes apps, and clipboard contents for strings that resemble “seed phrase”, “backup phrase”, or the 12‑24 word patterns used by wallets.
- Bank‑account references – keywords such as “bank account” trigger additional data collection.
- Popular DeFi and wallet apps – the kit specifically seeks out Uniswap, MetaMask and similar applications, attempting to exfiltrate private keys or initiate unauthorized transactions.
The attackers then relay the harvested data to command‑and‑control servers, where it can be sold on darknet markets or used directly to empty victims’ wallets.
Mitigation advice
Google stresses that Coruna is ineffective against the latest iOS releases. Users are urged to:
- Upgrade to the newest iOS version as soon as it becomes available.
- If an update is not feasible, enable Apple’s “Lockdown Mode.” This feature dramatically reduces the attack surface for high‑risk exploits, making it harder for sophisticated toolkits to gain a foothold.
Apple’s own documentation notes that Lockdown Mode blocks many of the low‑level system calls that exploit chains rely on, providing a practical stop‑gap for devices that cannot be promptly patched.
Who built Coruna? A contested claim
The origin of the exploit kit remains a point of debate. Mobile‑security firm iVerify told WIRED that the code’s complexity and development cost—running into millions of dollars—suggest it may have been created or purchased by a United States government agency. According to iVerify co‑founder Rocky Cole, the toolkit bears “hallmarks” of known U.S. cyber‑operations.
Conversely, Kaspersky’s senior researcher disputed the attribution, saying the publicly released evidence does not show definitive code reuse that would link Coruna to any confirmed U.S. tools.
The disagreement underscores a broader issue: advanced exploitation frameworks, once built by nation‑state actors, can leak or be sold on the black market, ending up in the hands of criminal groups.
Analysis
Coruna represents a worrying convergence of state‑level capability and criminal profit motive. Its breadth—covering almost a decade of iOS versions—means a large installed base remains vulnerable, especially in regions where users delay updates.
The targeting of crypto‑related content is particularly significant for the blockchain community. Seed phrases are the single point of failure for most non‑custodial wallets; once stolen, they give attackers unrestricted access to the underlying assets. By focusing on both wallet apps and generic text searches, the kit maximizes the likelihood of capturing these high‑value secrets.
The involvement of a suspected Russian espionage outfit also hints at an early phase of “information‑war‑for‑crypto” tactics: using financial theft to fund operations or destabilize adversaries’ economies.
From a defensive standpoint, the episode reinforces two long‑standing best practices:
- Prompt patching – the rapid rollout of security updates is the most effective countermeasure against zero‑day exploit kits.
- Layered hardening – features such as Apple’s Lockdown Mode provide valuable additional barriers when users cannot update immediately.
Key takeaways
| ✅ | Takeaway |
|---|---|
| Exploit scope | Coruna covers iOS 13.0‑17.2.1, with five full exploit chains and 23 individual vulnerabilities, some previously unknown. |
| Primary target | Crypto wallet seed phrases, backup terms, and financial keywords extracted from compromised iPhones. |
| Delivery vector | Malicious JavaScript embedded in fake finance and crypto websites, often geo‑targeted to specific iPhone users. |
| Actors involved | Initially a suspected Russian espionage group; later repurposed by cyber‑criminals operating fake Chinese crypto portals. |
| Mitigation | Update to the latest iOS version; enable Apple’s Lockdown Mode if an update is not possible. |
| Attribution dispute | iVerify suggests possible U.S. government origin; Kaspersky finds no concrete code‑reuse evidence. |
| Implication for crypto community | Increased risk of wallet compromise; underscores need for secure storage practices and vigilance against phishing sites. |
Bottom line: Google’s identification of Coruna illuminates a new, potent threat vector against iPhone users holding cryptocurrency. While Apple’s regular updates remain the strongest line of defence, the episode highlights the necessity for users to stay current with patches, employ built‑in hardening features, and remain skeptical of unfamiliar finance‑related web pages—especially those promising crypto services.
Source: https://cointelegraph.com/news/google-warns-crypto-scams-using-new-and-powerful-iphone-exploit-kit?utm_source=rss_feed&utm_medium=feed&utm_campaign=rss_partner_inbound
