Meet the Top 101 in Crypto
Home / Education / Crypto / Security / Google Warns of ‘Coruna’ iPhone Exploit Kit Targeting Crypto Wallets on Older iOS — Here’s Who’s at Risk
Security
Complexity Icon Easy
7 min read

Google Warns of ‘Coruna’ iPhone Exploit Kit Targeting Crypto Wallets on Older iOS — Here’s Who’s at Risk

Published 05 March 2026
Onkar Singh
Authors
By Onkar Singh
Edited by Dr. Guneet Kaur
Subpoena Phishing Scam: How Fake Google Notices Are Tricking Crypto Users
Google Warns of ‘Coruna’ iPhone Exploit Kit Targeting Crypto Wallets on Older iOS — Here’s Who’s at Risk

Key Takeaways

  • Older iPhones are the main targets. The Coruna exploit affects devices running iOS 13 to iOS 17.2.1, while newer versions of iOS have patched many of the vulnerabilities.
  • Crypto wallets are a primary target. Attackers use the exploit to search for wallet apps, seed phrases, and financial data on compromised devices.
  • Malicious websites trigger the attack. Fake crypto exchanges or compromised websites can silently deliver the exploit when visited from vulnerable iPhones.
  • Software updates are the best protection. Researchers at the Google Threat Intelligence Group say updating to the latest iOS version blocks the exploit kit.

Security researchers at Google have uncovered a powerful iPhone exploit toolkit called Coruna, capable of targeting Apple devices running older versions of iOS.

The exploit kit was identified by the Google Threat Intelligence Group (GTIG), which found that attackers used it to compromise iPhones, steal cryptocurrency wallet data, and harvest financial information.

Coruna contains five full iOS exploit chains and 23 different vulnerabilities, enabling attackers to bypass security protections on iPhones running iOS 13 through iOS 17.2.1.

While newer iOS versions have patched the vulnerabilities used by the toolkit, millions of devices worldwide still run older software versions, making them potential targets for these attacks.

The discovery highlights a growing trend in cybercrime: sophisticated exploit tools originally built for surveillance operations eventually spreading into financially motivated hacking campaigns.

Understanding the Coruna iOS Exploit Kit

The Coruna exploit kit is essentially a collection of vulnerabilities that attackers can deploy to break into iPhones through malicious websites.

Once triggered, the exploit chain can bypass multiple layers of Apple’s security protections and run malicious code on the device.

Key technical capabilities of the Coruna exploit kit

  • Targets iPhones running iOS 13.0 through iOS 17.2.1
  • Contains five exploit chains and 23 vulnerabilities
  • Uses non-public exploitation techniques
  • Bypasses multiple iOS security protections
  • Delivers malicious payloads designed to steal financial information

The exploit framework is engineered to identify the exact iPhone model and operating system version before launching the appropriate attack.

This targeted approach significantly increases the success rate of the exploit.

Timeline: How Coruna Spread Across Different Threat Actors

The exploit kit’s usage evolved significantly during 2025 as it spread across multiple threat actors.

Coruna iOS exploit kit timeline
Coruna iOS exploit kit timeline. | Source: Google

Early 2025 — First Detection

Researchers first detected the exploit chain in February 2025 during a targeted attack involving a customer of a surveillance company.

The attack used a previously unseen JavaScript framework designed to fingerprint devices and launch the correct exploit.

Mid-2025 — Espionage Campaigns

Later that year, researchers found the same exploit framework deployed in watering hole attacks targeting Ukrainian websites.

A watering hole attack occurs when hackers compromise legitimate websites that are frequently visited by a specific group of users.

Visitors accessing the infected websites were silently redirected to the exploit framework.

Late 2025 — Large-Scale Crypto Scam Campaigns

Toward the end of the year, investigators discovered the exploit kit embedded within fake cryptocurrency and gambling websites.

These websites attempted to trick users into opening them on iPhones, triggering the exploit chain and installing malware designed to steal cryptocurrency wallets.

How the Exploit Chain Works

Coruna relies on a multi-stage exploitation process:

Stage 1: Device fingerprinting

The malicious website first gathers information about the device:

  • iPhone model
  • iOS version
  • browser environment
  • device security settings

If the target device meets the exploit conditions, the attack proceeds.

Stage 2: WebKit vulnerability exploitation

The exploit uses vulnerabilities in Apple’s WebKit browser engine, which powers the Safari browser.

One of the vulnerabilities used was CVE-2024-23222, which allowed attackers to execute malicious code through the browser.

Deobfuscated JavaScript of the Coruna exploit kit
Deobfuscated JavaScript of the Coruna exploit kit. | Source: Google

Stage 3: Security bypass

After initial access, the exploit bypasses advanced iOS protections including:

  • Pointer Authentication Code (PAC)
  • sandbox restrictions
  • kernel protections

Stage 4: Payload deployment

Finally, the exploit installs a malicious loader that downloads additional modules from command-and-control servers.

How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild
How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild. | Source: Google

Crypto Wallets and Financial Data Were Primary Targets

Unlike traditional spyware operations that focus on surveillance, the Coruna exploit campaigns appear to focus heavily on financial theft.

The malware contains modules designed to extract sensitive information from several popular cryptocurrency wallets.

Targeted crypto wallet apps included

  • MetaMask
  • Phantom
  • Trust Wallet
  • Coin98
  • BitKeep
  • Exodus
  • TON Wallet apps
  • Uniswap mobile wallet

The malware also scans devices for:

  • seed phrases
  • backup phrases
  • crypto wallet keys
  • bank account references

If detected, the information is transmitted back to attacker-controlled servers.

Why Older iPhones Are More Vulnerable

Coruna specifically targets devices running outdated iOS versions.

Apple patched several of the vulnerabilities used in the exploit kit in later updates.

For example:

  • CVE-2024-23222 was patched in iOS 17.3
  • several earlier vulnerabilities were fixed between iOS 15 and iOS 17

However, many devices remain vulnerable because users:

  • delay software updates
  • use older devices no longer receiving updates
  • disable automatic updates

Cybercriminals often exploit these gaps.

Why Attackers Use Fake Crypto Websites

Many Coruna campaigns relied on fake cryptocurrency exchanges and finance platforms.

These websites served two purposes:

  1. Lure victims searching for crypto investment opportunities
  2. Trigger the exploit chain when the site loads on a vulnerable iPhone

Some sites even displayed pop-ups encouraging users to open the website on an iPhone device to “continue verification” or “unlock features.”

This tactic ensured the exploit was delivered only to compatible targets.

Advanced Features That Make Coruna Dangerous

Security researchers noted several sophisticated features within the exploit kit.

  • Intelligent exploit selection: The toolkit automatically selects the correct exploit chain based on the device’s configuration.
  • Encryption and obfuscation: Exploit components are encrypted using ChaCha20 encryption and compressed before delivery.
  • Modular architecture: Attackers can easily deploy additional malware modules remotely after gaining device access.
  • Domain generation algorithms:The malware uses automated systems to generate backup command-and-control domains if primary servers go offline.

These features indicate a professionally developed exploit framework.

Safety Measures: How iPhone Users Can Protect Their Crypto Wallets

Although Coruna targeted older iOS versions, several precautions can significantly reduce risk the risk crypto wallet theft:

  • Update iOS immediately: Install the latest version of iOS available for your device. Security patches block many known vulnerabilities used by exploit kits.
  • Enable Lockdown Mode: Apple’s Lockdown Mode adds extra protections designed for users who may face targeted attacks. The Coruna exploit kit reportedly fails when Lockdown Mode is active.
  • Avoid unknown crypto websites: Be cautious when visiting unfamiliar crypto trading platforms or investment websites. Fake exchanges are commonly used to distribute exploits.
  • Install apps only from official sources: Download applications only from the Apple App Store. Avoid installing wallet apps from unofficial websites.
  • Secure crypto wallets: Store seed phrases offline and never save them in notes apps or screenshots. Hardware wallets provide additional protection for large holdings.

What the Coruna Discovery Means for the Crypto Industry

The Coruna exploit kit highlights how cybercriminals increasingly target cryptocurrency holders.

Digital assets are attractive targets because transactions are often irreversible once funds are stolen.

The discovery also reveals another emerging trend: exploit tools originally developed for government surveillance may eventually circulate within underground markets.

Researchers believe a secondary market for previously undisclosed exploits could be growing within cybercrime networks.

For iPhone users, the most effective defense remains simple: keep devices updated, avoid suspicious websites, and store cryptocurrency credentials securely.

You May Also Like

FAQs

What is the Coruna iOS exploit kit?

The Coruna exploit kit is a collection of vulnerabilities that attackers can use to break into iPhones running older versions of iOS. Once triggered through a malicious website, it can execute code on the device and deploy malware designed to steal financial information.

Which iPhone versions are vulnerable to the Coruna exploit?

Devices running iOS 13 through iOS 17.2.1 are the main targets. Many of the vulnerabilities used in the exploit chain were patched in later updates, including iOS 17.3 and newer versions.

What kind of information does the malware try to steal?

The malware primarily looks for cryptocurrency wallet data, including seed phrases, backup phrases, wallet keys, and references to bank accounts. It can also analyze text stored on the device to identify sensitive financial information.

How can iPhone users protect themselves from this exploit?

Users should update their devices to the latest iOS version, avoid visiting suspicious crypto websites, enable Apple’s Lockdown Mode for additional protection, and store cryptocurrency recovery phrases offline instead of saving them in apps or screenshots.

Disclaimer: The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Onkar Singh

Onkar Singh has three years of experience as a digital finance content creator. Throughout his career, he has collaborated with various DeFi projects and crypto media outlets. In his leisure time, he enjoys fitness activities at the gym and watching movies across different genres. Balancing his professional and personal interests, Onkar continues to contribute to the digital finance landscape while pursuing his hobbies.

Email [email protected]
Close
By using CCN.com you consent to our privacy & cookie policy Continue
Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
By using CCN.com you consent to our privacy & cookie policy
Continue
DMCA.com Protection Status