Threat researchers at Google say they uncovered a new iOS exploit kit built to steal crypto wallet seed phrases from iPhone users. The kit, called “Coruna” by its developers, targets iPhones running iOS 13.0 through 17.2.1 and includes five full iOS exploit chains and 23 exploits, some previously unknown, the Google Threat Intelligence Group (GTIG) reported.
GTIG says it first spotted parts of the toolkit in February 2025 and has since tracked its use by a suspected Russian espionage group against Ukrainians and later on a large set of fake Chinese finance websites that aim to steal crypto. The toolkit does not work on the latest iOS, so GTIG urged users to update their devices or enable Apple’s Lockdown Mode if updating isn’t possible.
The attacks use JavaScript-based fingerprinting to deliver the appropriate exploit only to selected iPhone visitors from specific geolocations. GTIG found the same framework hidden on multiple compromised Ukrainian sites and later on many fake Chinese websites, including pages spoofing the WEEX crypto exchange. When an iPhone user visits an infected site, the framework delivers the exploit kit and searches for financial data, scanning texts for seed-phrase-related terms like “backup phrase” or “bank account.” It also looks for popular crypto apps such as Uniswap and MetaMask to extract assets or sensitive information.
Attribution of Coruna’s origins is debated. The mobile security firm iVerify told WIRED the toolkit appears highly sophisticated, possibly costing millions to develop, and bears similarities to modules previously attributed to the U.S. government, suggesting it may have been built or purchased by U.S. authorities. iVerify warned this could be an example of advanced government tools being repurposed by adversaries and cybercriminals. By contrast, Kaspersky’s principal security researcher told The Register they saw no clear evidence of code reuse in public reports to support attributing Coruna to the same authors.
Cointelegraph is committed to independent, transparent journalism. This article was produced in accordance with Cointelegraph’s Editorial Policy; readers are encouraged to verify information independently. Read the Editorial Policy at https://cointelegraph.com/editorial-policy.