Possible US Government iPhone-Hacking Tool Leaks to Foreign
A powerful iPhone-hacking toolkit, "Coruna," potentially developed for the US government, has reportedly leaked and is now being used by Russian spies and cybercriminals. Google discovered the sophisticated exploits, capable of silently hijacking iPhones, which were first seen targeting Ukrainians and later used to steal cryptocurrency from Chinese victims. This proliferation highlights a dangerous "second-hand" market for advanced cyber weapons.
A sophisticated iPhone-hacking toolkit, potentially originating from a US government contractor, has reportedly fallen into the hands of Russian intelligence and, subsequently, cybercriminals. Dubbed "Coruna" by Google researchers, this powerful set of exploits, capable of silently hijacking iPhones by merely visiting a website, represents a critical security leak with alarming implications for global mobile device safety and international espionage. Its observed journey from targeting Ukrainians to stealing cryptocurrency from Chinese-speaking victims highlights a dangerous proliferation of advanced cyber capabilities.
Google's Tuesday report details Coruna as a highly advanced toolkit comprising five distinct hacking techniques that exploit 23 vulnerabilities in iOS. These techniques allow for the silent installation of malware on an iPhone simply by visiting a compromised website. Such a comprehensive collection of exploits suggests development by a well-funded, likely state-sponsored entity.
Coruna's Troubling Trajectory
The toolkit's evolution is a concerning timeline. Google initially detected components of Coruna in February of last year, attributing their use to an undisclosed “customer of a surveillance company.” Five months later, a more complete version resurfaced, employed in an espionage campaign by a suspected Russian spy group, discreetly embedded within visitor counters on Ukrainian websites. Most recently, Coruna has been observed in a purely profit-driven operation, infecting Chinese-language crypto and gambling sites to steal victims' cryptocurrency.
While Google's report is notably silent on the original "surveillance company customer," mobile security firm iVerify provides a strong suggestion: the code may have been built for or acquired by the US government. iVerify co-founder Rocky Cole points to Coruna's overlap with "Triangulation," a hacking operation discovered targeting Kaspersky in 2023, which Russia attributed to the NSA. Cole further notes the code appears to be originally written by English speakers and bears the "hallmarks of other modules that have been publicly attributed to the US government,” calling it the first instance of “very likely US government tools…spinning out of control.”
An "EternalBlue Moment" for Mobile
This potential leak raises profound questions about the security of mobile devices globally, akin to what iVerify’s Cole terms the “EternalBlue moment for mobile malware.” EternalBlue was an NSA Windows-hacking tool stolen and leaked in 2017, leading to widespread catastrophic cyberattacks like WannaCry and NotPetya. Google warns that Coruna's proliferation suggests an “active market for ‘second hand’ zero-day exploits,” meaning these advanced techniques could be adopted or adapted by various threat actors.
Apple has since patched the vulnerabilities exploited by Coruna in iOS 17.3 and later versions. However, devices running iOS 13 through 17.2.1 remain susceptible, particularly Safari users, as the toolkit targets Apple's Webkit framework. Coruna also checks for and avoids devices with Apple's Lockdown Mode enabled, providing a layer of protection for users who utilize this stringent security setting. Despite these limitations, iVerify estimates that the cybercriminal version of Coruna alone may have infected roughly 42,000 devices, based on command-and-control server traffic. The full extent of infections from the Russian espionage campaign remains unclear.
Professional Origins, Crude Alterations
Spencer Parker, iVerify's chief product officer, described the core Coruna exploits as "very professionally written" and modular, contrasting them with the "poorly written" additions made by cybercriminals to steal cryptocurrency, photos, and emails. Rocky Cole argues against the possibility of Coruna being merely repurposed components of Triangulation, emphasizing that many elements are novel and the entire toolkit appears to have been crafted by a "single author," indicating a cohesive, purpose-built framework.
The Role of Exploit Brokers
The precise mechanism of Coruna's potential leak remains a mystery. However, experts like Cole point to the shadowy industry of zero-day exploit brokers who deal in sophisticated hacking techniques for tens of millions of dollars. These brokers, often “unscrupulous,” may sell tools to the highest bidder without exclusivity arrangements. Cole suggests that Coruna likely “ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,” echoing the sentiment that “the genie is out of the bottle.” This scenario gains some context from recent events, such as the sentencing of Peter Williams, an executive of US government contractor Trenchant, who sold hacking tools to a Russian zero-day broker.
The emergence and wide-ranging proliferation of Coruna underscore a chilling new reality in cybersecurity. A potent, potentially state-developed, iPhone-hacking capability has now entered the global black market, posing an ongoing threat to individuals and national security interests alike, even as the original source and the full extent of its impact continue to unravel.
FAQ
Q: What is Coruna and why is it significant? A: Coruna is a highly sophisticated iPhone-hacking toolkit that exploits 23 vulnerabilities in iOS to silently install malware on devices. It's significant because it represents a rare and powerful capability, possibly originating from the US government, that has since proliferated to Russian spies and cybercriminals, raising major concerns about mobile security.
Q: Which iPhone users are vulnerable to Coruna? A: iPhone users running iOS versions 13 through 17.2.1 are primarily vulnerable, especially if using Safari, as the toolkit targets Apple's Webkit framework. Apple has patched these vulnerabilities in iOS 17.3 and later. Devices with Apple's Lockdown Mode enabled are not targeted by Coruna.
Q: How did Coruna potentially get into the hands of foreign adversaries and criminals? A: While unconfirmed, security experts suggest that unscrupulous zero-day exploit brokers, who operate a multi-million-dollar market for hacking tools, may have sold Coruna to various buyers. This could explain its journey from a potential US government source to Russian espionage operations and then to cybercriminal groups.
Related articles
Amazon Takes Top Fortune 500 Spot, Ends Walmart's 13-Year Reign
Amazon has officially become the No. 1 company on the Fortune 500 list for the first time in 13 years, dethroning Walmart. Reporting over $700 billion in 2025 revenue, this marks a historic shift for the tech giant. Other leaders like Microsoft, Alphabet, and Nvidia also achieved notable milestones.
MTD Quarterly Reporting: A Stress Test for UK Tax Tech
Verdict: Ambitious but Risky Transformation HMRC’s Making Tax Digital (MTD) for Income Tax represents one of the UK government's most significant digital transformation projects to date. Its move to mandatory quarterly
Applied Aerospace & Defense Raises $650M in Highly Sought-After IPO
Applied Aerospace & Defense, a Huntsville-based firm, successfully raised $650 million in an IPO that was ten times oversubscribed, pricing shares at $20. The offering underscores a strong investor shift towards defense hardware and solidifies the company's $3.4 billion market valuation. Trading begins Wednesday on the NYSE under AADX.
Trump Signs Executive Order for Voluntary AI Model Oversight
President Trump signed an executive order Tuesday, establishing voluntary government oversight for new AI models. This reverses his prior hands-off approach, balancing innovation with national security by asking companies for a 30-day review.
Microsoft Unveils ASSERT, Simplifying AI Behavior Testing with Text
Microsoft has launched ASSERT, an open-source framework designed to simplify AI behavior testing. It enables developers to create comprehensive, application-specific evaluations using natural language descriptions, ensuring AI systems act as intended for particular products and services. The tool translates high-level goals into structured tests, generates scenarios, scores results, and logs execution paths.
Trump Orders Voluntary AI Model Review Before Release
President Trump has signed an executive order creating a voluntary framework for AI companies to share advanced models with the federal government before release. This initiative aims to bolster secure innovation and protect critical infrastructure, reflecting a shift from the administration's previous hands-off approach to AI safety. Companies opting for pre-release review may receive confidentiality protections.