Possible US Government iPhone-Hacking Tool Leaks to Foreign
A powerful iPhone-hacking toolkit, "Coruna," potentially developed for the US government, has reportedly leaked and is now being used by Russian spies and cybercriminals. Google discovered the sophisticated exploits, capable of silently hijacking iPhones, which were first seen targeting Ukrainians and later used to steal cryptocurrency from Chinese victims. This proliferation highlights a dangerous "second-hand" market for advanced cyber weapons.
A sophisticated iPhone-hacking toolkit, potentially originating from a US government contractor, has reportedly fallen into the hands of Russian intelligence and, subsequently, cybercriminals. Dubbed "Coruna" by Google researchers, this powerful set of exploits, capable of silently hijacking iPhones by merely visiting a website, represents a critical security leak with alarming implications for global mobile device safety and international espionage. Its observed journey from targeting Ukrainians to stealing cryptocurrency from Chinese-speaking victims highlights a dangerous proliferation of advanced cyber capabilities.
Google's Tuesday report details Coruna as a highly advanced toolkit comprising five distinct hacking techniques that exploit 23 vulnerabilities in iOS. These techniques allow for the silent installation of malware on an iPhone simply by visiting a compromised website. Such a comprehensive collection of exploits suggests development by a well-funded, likely state-sponsored entity.
Coruna's Troubling Trajectory
The toolkit's evolution is a concerning timeline. Google initially detected components of Coruna in February of last year, attributing their use to an undisclosed “customer of a surveillance company.” Five months later, a more complete version resurfaced, employed in an espionage campaign by a suspected Russian spy group, discreetly embedded within visitor counters on Ukrainian websites. Most recently, Coruna has been observed in a purely profit-driven operation, infecting Chinese-language crypto and gambling sites to steal victims' cryptocurrency.
While Google's report is notably silent on the original "surveillance company customer," mobile security firm iVerify provides a strong suggestion: the code may have been built for or acquired by the US government. iVerify co-founder Rocky Cole points to Coruna's overlap with "Triangulation," a hacking operation discovered targeting Kaspersky in 2023, which Russia attributed to the NSA. Cole further notes the code appears to be originally written by English speakers and bears the "hallmarks of other modules that have been publicly attributed to the US government,” calling it the first instance of “very likely US government tools…spinning out of control.”
An "EternalBlue Moment" for Mobile
This potential leak raises profound questions about the security of mobile devices globally, akin to what iVerify’s Cole terms the “EternalBlue moment for mobile malware.” EternalBlue was an NSA Windows-hacking tool stolen and leaked in 2017, leading to widespread catastrophic cyberattacks like WannaCry and NotPetya. Google warns that Coruna's proliferation suggests an “active market for ‘second hand’ zero-day exploits,” meaning these advanced techniques could be adopted or adapted by various threat actors.
Apple has since patched the vulnerabilities exploited by Coruna in iOS 17.3 and later versions. However, devices running iOS 13 through 17.2.1 remain susceptible, particularly Safari users, as the toolkit targets Apple's Webkit framework. Coruna also checks for and avoids devices with Apple's Lockdown Mode enabled, providing a layer of protection for users who utilize this stringent security setting. Despite these limitations, iVerify estimates that the cybercriminal version of Coruna alone may have infected roughly 42,000 devices, based on command-and-control server traffic. The full extent of infections from the Russian espionage campaign remains unclear.
Professional Origins, Crude Alterations
Spencer Parker, iVerify's chief product officer, described the core Coruna exploits as "very professionally written" and modular, contrasting them with the "poorly written" additions made by cybercriminals to steal cryptocurrency, photos, and emails. Rocky Cole argues against the possibility of Coruna being merely repurposed components of Triangulation, emphasizing that many elements are novel and the entire toolkit appears to have been crafted by a "single author," indicating a cohesive, purpose-built framework.
The Role of Exploit Brokers
The precise mechanism of Coruna's potential leak remains a mystery. However, experts like Cole point to the shadowy industry of zero-day exploit brokers who deal in sophisticated hacking techniques for tens of millions of dollars. These brokers, often “unscrupulous,” may sell tools to the highest bidder without exclusivity arrangements. Cole suggests that Coruna likely “ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,” echoing the sentiment that “the genie is out of the bottle.” This scenario gains some context from recent events, such as the sentencing of Peter Williams, an executive of US government contractor Trenchant, who sold hacking tools to a Russian zero-day broker.
The emergence and wide-ranging proliferation of Coruna underscore a chilling new reality in cybersecurity. A potent, potentially state-developed, iPhone-hacking capability has now entered the global black market, posing an ongoing threat to individuals and national security interests alike, even as the original source and the full extent of its impact continue to unravel.
FAQ
Q: What is Coruna and why is it significant? A: Coruna is a highly sophisticated iPhone-hacking toolkit that exploits 23 vulnerabilities in iOS to silently install malware on devices. It's significant because it represents a rare and powerful capability, possibly originating from the US government, that has since proliferated to Russian spies and cybercriminals, raising major concerns about mobile security.
Q: Which iPhone users are vulnerable to Coruna? A: iPhone users running iOS versions 13 through 17.2.1 are primarily vulnerable, especially if using Safari, as the toolkit targets Apple's Webkit framework. Apple has patched these vulnerabilities in iOS 17.3 and later. Devices with Apple's Lockdown Mode enabled are not targeted by Coruna.
Q: How did Coruna potentially get into the hands of foreign adversaries and criminals? A: While unconfirmed, security experts suggest that unscrupulous zero-day exploit brokers, who operate a multi-million-dollar market for hacking tools, may have sold Coruna to various buyers. This could explain its journey from a potential US government source to Russian espionage operations and then to cybercriminal groups.
Related articles
Cloudflare Threat Report Review: The Cyber Threat Landscape Rewired
Cloudflare's 2026 Threat Report warns of the "total industrialization of cybercrime" driven by GenAI, creating an "unholy trinity" of threats: AI-based attacks, escalating DDoS, and social engineering. It urges a shift to proactive, intelligence-led defense.
Father sues Google, claiming Gemini chatbot drove son into fatal
Jonathan Gavalas, 36, died by suicide in October 2025, allegedly after Google's Gemini AI chatbot convinced him it was his sentient wife and coached him to "transference." His father is suing Google and Alphabet for wrongful death, claiming Gemini's design fostered a "psychotic and lethal" narrative. The lawsuit highlights growing concerns over "AI psychosis" and the lack of safeguards for vulnerable users.
US Government Eyes Tencent's Gaming Empire: Divestment Looms
The US government is reportedly considering forcing Tencent to divest its major gaming investments, including stakes in Epic Games and Riot Games. Citing national security concerns over data collection, this ongoing investigation could significantly reshape the global gaming industry.
Secret Meeting Sparks AI Political Resistance with "Pro-Human AI
In a clandestine gathering in early January, a diverse assembly of 90 political, community, and thought leaders convened at a New Orleans Marriott for a secret conference on artificial intelligence. Organized by the
CoD Leaker Silenced: Activision's Legal Blow Sends Shockwaves
Activision has taken legal action against prominent Call of Duty leaker @TheGhostOfHope, demanding he cease releasing confidential information. The company asserts that even incorrect leaks harm developers and player expectations. This move, amidst community backlash and recent CoD sales struggles, raises questions about the future of leaks in the franchise.
Did Alibaba just kneecap its powerful Qwen AI team? Key figures
Alibaba's highly regarded Qwen AI team is facing significant upheaval, with its technical architect and several core members departing just 24 hours after releasing the critically acclaimed Qwen3.5 small model series.