Security researchers at Google have identified a new exploit kit targeting Apple iPhone users, with the goal of stealing crypto wallet seed phrases. The toolkit, known as “Coruna,” mainly affects devices running older versions of iOS between 13.0 and 17.2.1.
According to Google’s Threat Intelligence Group, the kit contains five full exploit chains and a total of 23 vulnerabilities, some of which were previously unknown. Researchers first spotted the activity in February 2025.
Initially, it appeared to be used by a suspected Russian espionage group targeting Ukrainian users. Later, investigators found the same toolkit being deployed through fake Chinese crypto websites designed to trick victims into revealing sensitive information.
Researchers urge iPhone users to update iOS
The researchers noted that the exploit does not work on the latest iOS versions. They are urging iPhone users to update their devices as soon as possible.
For those who cannot update immediately, enabling Apple’s Lockdown Mode may help reduce the risk of sophisticated attacks.
Researchers from Google Threat Intelligence Group said they first spotted parts of the iOS exploit in February 2025 while investigating activity linked to a surveillance company’s customer.
The attack used malicious JavaScript to “fingerprint” a device — meaning it quietly gathered details about the user’s phone to determine the exact exploit needed to compromise it.
Later in the year, the same JavaScript framework was discovered on several hacked Ukrainian websites.
However, the malicious code was not shown to every visitor. Instead, it was selectively delivered to specific Apple iPhone users located in certain geographic regions, suggesting the attack was carefully targeted rather than widely distributed.
Experts suspect government-linked origins for exploit kit
Researchers at Google Threat Intelligence Group did not reveal who the surveillance company’s client might be, but some cybersecurity experts believe the exploit kit could have links to government-level tools.
Mobile security firm iVerify suggested that the technology may have originally been developed or acquired by the U.S. government.
iVerify co-founder Rocky Cole told WIRED that the exploit appears extremely sophisticated and likely cost millions of dollars to build.
He said certain technical patterns resemble tools previously associated with U.S. government cyber capabilities, raising the possibility that such technology may have leaked and is now being reused by cybercriminals or rival groups.
Not everyone agrees with that assessment, however. Researchers at Kaspersky told The Register that they have not seen clear evidence in the published reports proving that the Coruna exploit kit was created by the same developers as those earlier tools.