Coruna Hack Targets Crypto Wallet Recovery Phrases

• Google researchers discovered Coruna exploit kit targets iPhones running iOS versions 13–17.
• The toolkit contains 23 exploits and five full chains attacking Apple devices.
• Hackers used compromised websites and fake crypto pages to infect targeted iPhones.

A sophisticated hacking toolkit capable of breaking into Apple iPhones has surfaced in espionage operations and financial cybercrime campaigns, showing how advanced surveillance technology can eventually spread into broader criminal use.

Researchers from Google Threat Intelligence Group say the exploit kit, internally called “Coruna,” targets iPhones running iOS versions 13.0 through 17.2.1, covering devices released between 2019 and late 2023.

The toolkit contains five complete exploit chains and 23 separate vulnerabilities, allowing attackers to break through multiple layers of Apple’s security system and take control of a device.

How the Attacks Worked

The Coruna exploit kit uses a sophisticated web-based attack. When a user visits a compromised website, hidden JavaScript code first scans the device to determine the iPhone model and operating system version.

Based on that information, the attack automatically loads the correct exploit chain.

One of the key vulnerabilities used in the attacks was CVE-2024-23222, a WebKit flaw later patched by Apple in iOS 17.3.

The exploit chain then bypasses several protections built into iOS, eventually installing a loader that communicates with remote command-and-control servers.

Related: Crypto Markets Stand Firm as Geopolitical Risk Hits Stocks and Oil

The Attack’s Unusual Journey

What makes Coruna particularly notable is how it appeared in very different cyber operations throughout 2025.

Early 2025: Surveillance Use

The first traces were discovered in February 2025, when researchers observed a customer of a commercial surveillance vendor using part of the exploit chain. The attack used a custom JavaScript framework with obfuscation techniques designed to hide the exploit code.

Mid-2025: Espionage Operations

By the summer of 2025, the same framework appeared on multiple compromised Ukrainian websites.

The malicious scripts were inserted into pages through hidden iframes, launching targeted attacks on visitors’ iPhones. Security analysts believe these operations were linked to a suspected Russian espionage group.

Late 2025: Financial Crime

Later in the year, researchers discovered the full exploit kit being deployed on hundreds of fake Chinese financial and cryptocurrency websites.

Targeting Crypto Wallets

Unlike many surveillance tools that focus on monitoring communications, the final payload of Coruna appears designed to steal financial information.

The malware scans the device for:

• cryptocurrency recovery phrases
• wallet backup files
• banking details
• sensitive text stored in Apple Notes

Despite its complexity, the exploit kit no longer works on the newest iOS versions. Security experts recommend that iPhone users update their devices immediately and enable advanced protections such as Lockdown Mode if they believe they may be targeted.

Related: Goldman Sachs CEO Says Middle East Tensions Could Pressure Crypto for Weeks