Bold claim first: a highly dangerous iPhone hacking toolkit has drifted from government-grade use into the hands of foreign spies and criminal networks, raising urgent questions about mobile security today.
A sophisticated iPhone exploit kit, known as Coruna, has emerged in the wild and demonstrated the ability to silently install malware on devices simply when a user visits a compromised website. Google researchers describe Coruna as a toolkit that leverages 23 distinct iOS vulnerabilities and uses five complete exploitation techniques to bypass iPhone defenses via the WebKit browser framework. This breadth and depth suggest it was developed by a well-resourced, likely state-sponsored group.
The investigation traces Coruna’s lineage through a series of stages. Initial versions appeared in February of last year and were linked to a “customer of a surveillance company.” A few months later, a more comprehensive version surfaced in an espionage operation attributed to a suspected Russian intelligence group, which embedded the code in a standard visitor-counting component on Ukrainian sites. More recently, a profit-driven campaign deployed Coruna to infect Chinese-language crypto and gambling sites, stealing cryptocurrency from victims.
One notable gap in the public record is the identity of that original surveillance customer. However, analyses from iVerify—another security firm that examined a version of Coruna recovered from infected Chinese sites—suggest the toolkit may have originated from a US government-related enterprise. Both Google and iVerify observe that Coruna contains components previously linked to the Triangulation operation, which Russia attributed to the NSA in 2023. The US government has not commented on those claims.
Independent researchers also note signs that English-speaking developers authored some of Coruna’s code, adding to the theory that a government-adjacent tool could have found its way into other hands. Rocky Cole, cofounder of iVerify, emphasizes the toolkit’s unusual sophistication and modular design, hinting that it represents tools that were intended for, or closely tied to, government use. He describes this as the first clear instance of a US-government-adjacent tool “spinning out of control” and being repurposed by adversaries and criminals alike.
Google characterizes Coruna as an “EternalBlue moment” for mobile malware: a rare, valuable toolkit slipping into the broader cybercrime ecosystem where it can be bought, sold, and repurposed by various actors. In practice, Apple has updated iOS versions beyond the ones currently vulnerable; Coruna’s confirmed exploitation targets iOS 13 through 17.2.1 and relies on WebKit flaws, affecting Safari users on those older builds. There are no confirmed exploits against Chrome within Coruna, and the toolkit checks for Lockdown Mode before attempting an attack.
Estimates from iVerify suggest the for-profit campaign alone may have compromised tens of thousands of devices—around 42,000 visits to a command-and-control server linked to the operation on Chinese-language sites. The scale of infections among Ukrainians reached via the Russian espionage route remains uncertain.
Regarding the nature of the code, iVerify notes the for-profit variant appeared to modify Coruna to drain cryptocurrency wallets, harvest photos, and siphon emails. Yet the added malware was described as cruder than the core Coruna framework, implying the core toolkit remains highly polished and capable. Some researchers propose that Coruna could be a newer, unified tool created by a single author, rather than a patchwork of previously published components. Others suggest that overlaps with the Triangulation suite might indicate repurposing after discovery by other groups.
If Coruna did originate as a government toolkit, its leakage into non-state audiences underscores a broader risk: highly advanced zero-day exploits can propagate beyond their intended users through brokers who trade in top-tier cyber weapons. In a related development, an industry insider recently received a prison sentence for selling zero-day exploits to Russian brokers, illustrating how quickly such tools can move from developers to wider circles.
Bottom line: the “genie is out of the bottle.” Coruna’s trajectory—from potential government origin to global proliferation—highlights the vulnerability of mobile devices to sophisticated, professionally engineered exploits. It also raises important questions about how nations, brokers, and criminal actors interact in the zero-day market, and what that means for everyday users. How should individuals, organizations, and policymakers respond to the reality that powerful hacking tools can migrate across borders and actors? And what responsibilities do developers, vendors, and governments share in preventing such tools from falling into the wrong hands?
