'Coruna' Kit Deploys 23 Exploits to Compromise iPhones
Google's Threat Intelligence Group (GTIG) has uncovered a powerful new exploit kit named "Coruna" designed to steal cryptocurrency from Apple iPhone users. According to a report released Wednesday, the kit bundles five full iOS exploit chains and a total of 23 exploits, including several previously unknown vulnerabilities. The attack targets a wide range of devices running iOS versions from 13.0 to 17.2.1.
First detected in February 2025, the exploit was initially used by a suspected Russian espionage group against Ukrainian targets. By December, its use expanded significantly, with GTIG discovering the framework on a large network of fake Chinese financial websites, including one spoofing the crypto exchange WEEX. Once a vulnerable iPhone accesses a malicious site, the kit is deployed to hunt for financial data, analyzing text messages for keywords like “seed phrase” and “bank account,” and specifically targeting popular crypto apps like Uniswap and MetaMask to extract funds or sensitive information.
Exploit's Origins Debated as Users Urged to Update iOS
The sophistication of the Coruna kit has ignited a debate over its origins. Mobile security firm iVerify suggested to WIRED that the tool, which likely cost millions to develop, bears the hallmarks of technology built or purchased by the U.S. government that has spun out of control. However, researchers at cybersecurity firm Kaspersky disputed this, stating they found "no evidence of actual code reuse" to link Coruna to known government-developed tools.
Regardless of its source, the threat to crypto holders is immediate. Google has strongly urged all iPhone users to update their devices to the latest version of iOS, as the exploit does not work on the most recent software. For users unable to update, Apple’s “Lockdown Mode” provides an additional layer of defense against such sophisticated attacks.
