Google threat researchers say they discovered a sophisticated iOS exploit kit, dubbed Coruna, built to steal cryptocurrency wallet seed phrases from iPhone users. Coruna targets devices running iOS 13.0 through 17.2.1 and reportedly includes five full exploit chains and 23 individual exploits, some of them previously unknown.
According to the Google Threat Intelligence Group (GTIG), components of the toolkit were first observed in February 2025. GTIG has tracked its use in attacks attributed to a suspected Russian espionage group targeting Ukrainian users, and later on a large set of fake Chinese finance websites designed to harvest crypto. The kit does not work against the newest iOS releases, so GTIG advised users to update their devices or, if they cannot upgrade, enable Apple’s Lockdown Mode to reduce exposure.
Coruna’s delivery relies on JavaScript-based fingerprinting to identify targeted iPhone visitors by device and geolocation, then deliver the appropriate exploit only to selected users. GTIG found the framework hidden on multiple compromised Ukrainian sites and subsequently on many counterfeit Chinese pages, including sites impersonating the WEEX crypto exchange. When a victim’s iPhone loads an infected page, the exploit kit probes for financial data: it scans on-device text for seed-phrase keywords such as “backup phrase” or “bank account,” and looks for popular crypto apps like Uniswap and MetaMask to extract sensitive information or access assets.
Attribution of Coruna’s origins remains disputed. Mobile security firm iVerify told WIRED that the toolkit is highly sophisticated and may have cost millions to develop; iVerify noted similarities to modules previously linked to U.S. government tools and suggested it could have been developed or procured by state actors. iVerify also warned that advanced government tools can be repurposed by other states or criminal groups. Kaspersky’s principal security researcher, by contrast, told The Register they saw no clear public evidence of code reuse that would support linking Coruna to the same authors.
Readers are encouraged to verify reporting independently. The risk mitigation steps emphasized by researchers are to keep iOS up to date and enable Lockdown Mode on devices that cannot be upgraded, and to exercise caution when visiting unfamiliar or spoofed financial sites.