Highly Sophisticated iPhone Hacking Tool, "Coruna," Shifts from State Spies to Cybercriminals, Possibly Originating from US Contractor

A groundbreaking iPhone-hacking technique, recently identified in widespread use, has sent shockwaves through the global cybersecurity community. This method, capable of indiscriminately hijacking any iOS device merely by a user visiting a compromised website, represents an alarming escalation in digital threats. What makes this event particularly rare and disturbing is the apparent trajectory of the powerful hacking toolkit at its core, dubbed "Coruna." Evidence suggests it has transitioned from the hands of suspected Russian intelligence operatives, who deployed it against Ukrainian targets, to a cybercriminal syndicate focused on stealing cryptocurrency from Chinese-speaking victims. Adding a layer of geopolitical intrigue, some clues indicate that this sophisticated toolkit might have been originally developed by a US government contractor and subsequently acquired by the American government.

Security researchers at Google’s Threat Analysis Group (TAG) and Project Zero on Tuesday unveiled their findings in a detailed report, describing "Coruna" as an exceptionally advanced iPhone exploitation kit. This toolkit is distinguished by its inclusion of five complete, distinct hacking techniques, meticulously engineered to bypass all of an iPhone’s native security defenses. These capabilities allow for the silent installation of malicious software on a device simply when a user navigates to a webpage embedded with the exploitation code. In total, Coruna leverages an impressive 23 separate vulnerabilities within Apple’s iOS operating system. This extensive collection of hacking components points strongly to its creation by a profoundly well-resourced group, most likely operating under state sponsorship.

Google’s investigation meticulously traced various components of Coruna back to hacking techniques first observed in February of the previous year. At that time, Google attributed their use to what it vaguely described as a "customer of a surveillance company." The identity of this initial customer remains conspicuously absent from Google’s public report, fueling speculation.

A mere five months later, Google detected a more complete and refined version of Coruna re-emerging in what appeared to be a sophisticated espionage campaign. This operation was carried out by a suspected Russian spy group, which ingeniously concealed the potent hacking code within a common visitor-counting component embedded in numerous Ukrainian websites. The strategic deployment on sites frequented by Ukrainians underscores the toolkit’s use for intelligence gathering in the context of the ongoing conflict.

The trajectory of Coruna took another concerning turn when Google subsequently spotted it in use yet again, this time in a campaign with an overtly profit-driven motive. This latest iteration saw the toolkit infecting Chinese-language cryptocurrency and gambling websites. Its objective in this phase was to deliver malware specifically designed to pilfer cryptocurrency from the digital wallets of unsuspecting victims. This alarming transition from state-sponsored espionage to pure cybercrime highlights the fluidity and potential for proliferation of such advanced digital weapons.

While Google’s report refrains from naming the original "surveillance company customer," a separate analysis by the mobile security firm iVerify offers a provocative hypothesis. iVerify, which obtained and examined a version of Coruna from one of the compromised Chinese sites, suggests that the code may have originally been developed for, or acquired by, the United States government. Both Google and iVerify noted that Coruna incorporates multiple components previously observed in a distinct hacking operation known as "Triangulation." This operation was discovered targeting the Russian cybersecurity firm Kaspersky in 2023, an incident that the Russian government publicly attributed to the US National Security Agency (NSA). The US government has, to date, not issued a response to Russia’s claim regarding the "Triangulation" operation.

Further supporting iVerify’s theory, the cofounder of iVerify, Rocky Cole, observed that Coruna’s underlying code appears to have been originally authored by English-speaking coders. "It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," Cole told WIRED. He went on to describe this as a watershed moment: "This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups."

Regardless of Coruna’s precise origin, Google’s warning is clear: a rare and exceptionally valuable hacking toolkit has apparently circulated through a series of improbable hands. It now exists "in the wild," meaning it could still be adopted—or adapted—by any number of threat actors seeking to target iPhone users. Google’s report states, "How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits." The term "zero-day" refers to secret hacking techniques that exploit vulnerabilities unknown to the software vendor, making them particularly potent before patches are released. The report further cautions, "Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities."

Cole of iVerify draws a chilling parallel, labeling this potential leakage of a US-developed tool as an "EternalBlue moment" for mobile malware. EternalBlue was a powerful Windows-hacking tool infamously stolen from the NSA and subsequently leaked to the public in 2017. Its unauthorized release led to its use in some of the most catastrophic cyberattacks in history, including North Korea’s WannaCry ransomware worm and Russia’s devastating NotPetya attack, which caused billions of dollars in damage globally. The analogy underscores the profound danger posed when highly sophisticated, state-level cyber weapons fall into unpredictable hands, leading to widespread and often indiscriminate harm.

From a technical standpoint, Google confirmed that Apple has addressed the specific vulnerabilities exploited by Coruna in the most recent versions of its mobile operating system, iOS 18. This means Coruna’s identified exploitation techniques are only confirmed to be effective against devices running older versions of iOS, specifically from iOS 13 through 17.2.1. The toolkit primarily targets vulnerabilities within Apple’s Webkit framework, which powers Safari and other web browsers on iOS. Consequently, Safari users on these older, unpatched iOS versions would be vulnerable. However, the toolkit does not contain confirmed techniques for directly targeting users of Chrome or other browsers on iOS. Google also noted a crucial detail: Coruna is designed to check if an iOS device has Apple’s most stringent security setting, known as Lockdown Mode, enabled. If Lockdown Mode is active, the toolkit wisely refrains from attempting to hack the device, highlighting the efficacy of this enhanced security feature.

Despite these limitations on older iOS versions, iVerify’s analysis suggests that Coruna likely infected tens of thousands of iPhones. The company collaborated with a partner possessing access to network traffic and monitored visits to a command-and-control server associated with the cybercriminal version of Coruna targeting Chinese-language websites. Based on the volume of these connections, iVerify estimates that approximately 42,000 devices may have already been compromised by this toolkit in the profit-focused campaign alone. The full extent of Coruna’s victim count, particularly regarding Ukrainians targeted by the suspected Russian espionage operation, remains unknown. Both Google and Apple have declined to offer further comments beyond Google’s published report.

In iVerify’s detailed examination of the cybercriminal variant of Coruna—as they did not have access to earlier versions—the company discovered that the core code had been modified. These alterations were designed to deploy malware on target devices capable of draining cryptocurrency from digital wallets and stealing sensitive data such as photos and, in some instances, emails. However, Spencer Parker, iVerify’s chief product officer, noted a striking disparity in code quality. While the added malware for cryptocurrency theft and data exfiltration was described as "poorly written," the underlying Coruna toolkit itself was "impressively polished and modular." "My God, these things are very professionally written," Parker remarked about the exploits included in Coruna, suggesting that the cruder, less refined malware components were likely appended by the cybercriminals who later acquired the core toolkit.

Regarding the code modules that hint at Coruna’s potential origins as a US government toolkit, iVerify’s Rocky Cole acknowledged an alternative explanation. He considered the possibility that the overlaps between Coruna’s code and the "Operation Triangulation" malware—which Russia pinned on US hackers—could be a result of "Triangulation’s" components being discovered and subsequently repurposed by other actors. However, Cole argued that this scenario is improbable. He pointed out that many components within Coruna had never been observed before its detection, and critically, the entire toolkit appears to have been created by a "single author," rather than being a patchwork of disparate elements. "The framework holds together very well," stated Cole, who has a background working at the NSA, though he emphasized he has been out of government for over a decade and was not basing his findings on outdated insider knowledge of US hacking tools. "It looks like it was written as a whole. It doesn’t look like it was pieced together."

If Coruna is, indeed, a US hacking toolkit that has gone rogue, the precise mechanism by which it fell into foreign and criminal hands remains shrouded in mystery. Cole, however, pointed to the burgeoning and often clandestine industry of zero-day brokers. These entities reportedly pay tens of millions of dollars for highly sought-after zero-day hacking techniques, which they then resell for purposes ranging from espionage and cybercrime to cyberwarfare. A notable and timely example is Peter Williams, an executive of the US government contractor Trenchant, who was sentenced this month to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero between 2022 and 2025. Williams’ sentencing memo highlighted that Trenchant supplied hacking tools to the US intelligence community and other members of the "Five Eyes" intelligence alliance (comprising the US, UK, Australia, Canada, and New Zealand). While the specific tools he sold or their targets were not disclosed, this case underscores the precarious nature of state-developed cyber weapons.

"These zero-day and exploit brokers tend to be unscrupulous," Cole explained. "They sell to the highest bidder and they double dip. Many don’t have exclusivity arrangements. That’s very likely what happened here." Cole’s conclusion paints a stark picture: "One of these tools ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay. The genie is out of the bottle."

The Coruna saga serves as a potent reminder of the inherent risks associated with the proliferation of advanced cyber weaponry. Whether developed by government entities or private contractors, such powerful tools, once leaked or resold, can rapidly become global threats, blurring the lines between state-sponsored espionage and profit-driven cybercrime, and ultimately jeopardizing the security and privacy of countless individuals worldwide. The incident underscores the urgent need for stringent controls and accountability in the development and handling of such potent digital instruments.