Researchers from Google have identified a sophisticated hacking toolkit capable of secretly breaking into iPhones and stealing cryptocurrency from widely used wallet applications.
The toolkit, named Coruna, targets several well-known crypto wallets such as MetaMask, Phantom, and Trust Wallet. Victims do not need to download anything or tap suspicious links; simply opening a compromised or fraudulent website on a vulnerable iPhone can activate the attack.
Vulnerable iPhones
Devices running iOS 17.2.1 or earlier are exposed to the exploit. Apple fixed the vulnerabilities in iOS 17.3, which was released in January 2024.
Once the exploit runs, the toolkit scans a device’s notes and messages looking for cryptocurrency recovery phrases or keywords such as “backup phrase.” If it finds them, attackers can take control of the associated wallet without needing a password.
Around 18 different crypto applications are reportedly affected, including Exodus Wallet and Uniswap Wallet, alongside other major wallets.
How Researchers Found It
Investigators from Google Threat Intelligence Group (GTIG) said they recovered the complete toolkit after analyzing hundreds of fake financial and crypto-related websites, including a fraudulent version of the WEEX exchange.
Evidence suggests the toolkit has been used by multiple groups:
A suspected Russian espionage operation reportedly deployed it during the summer of 2025 to target iPhone users in Ukraine through hacked local business websites.
Later, financially motivated cybercriminals believed to be based in China distributed the toolkit through large numbers of scam websites. This broader campaign allowed researchers to obtain and analyze the full exploit kit.
A Built-In Defense
Activating Lockdown Mode on an iPhone completely prevents the attack from working. The Coruna toolkit detects when this security feature is enabled and stops running.
Bigger Implications
Security analysts say the toolkit appears to have circulated between several different actors, including a surveillance vendor, a state-linked Russian group, and cybercriminals, highlighting the emergence of a secondary market for advanced hacking tools.
Two of the vulnerabilities used by Coruna were previously linked to Operation Triangulation, a sophisticated iPhone spying campaign uncovered by Kaspersky in 2023. This reuse shows how high-end exploits often move between different threat groups once they become available.
