Cybersecurity researchers warn that a powerful set of iPhone exploits is increasingly being used in cybercrime campaigns targeting cryptocurrency users.
Conclusion
- Google researchers have identified a powerful iOS exploit kit called Coruna that contains 23 vulnerabilities across five exploit chains.
- Malware can scan devices for cryptographic wallet recovery phrases and financial information, potentially allowing attackers to remove funds.
- The tool reportedly transitioned from surveillance operations to state espionage and eventually to financially motivated cybercriminal groups.
Hackers use iPhone exploit kit to collect crypto wallet information
According to a new report from the Google Threat Intelligence Group, the exploit framework called “Coruna” has five complete iOS exploit chains and 23 vulnerabilities that are capable of affecting iPhones with operating systems between iOS 13 and iOS 17.2.1.
The exploit kit allows attackers to execute malicious code through web content by exploiting vulnerabilities in Apple’s WebKit browser engine and other components. When a victim visits a compromised website, the framework scans the device’s fingerprint to determine the exact iPhone model and software version before deploying an effective exploit chain.
Researchers say the malware can then deliver additional payloads designed to collect sensitive data from the device, including cryptocurrency wallet information.
In some campaigns, the exploit kit was deployed via fake gambling and cryptocurrency websites that specifically targeted iPhone users.
The malware payload was able to scan device images and files for keywords such as “passphrase” or “bank account,” which allowed attackers to obtain recovery phrases and access to crypto wallets.
Google’s investigation shows that the exploit kit has been distributed among several threat actors over the past year. It was first spotted in a surveillance operation in 2025, then used in phishing attacks against Ukrainian users by a suspected Russian spy group, and eventually adopted by financially motivated hackers linked to China.
Security analysts say the case illustrates a worrying trend in which sophisticated spyware exploits are moving from government or commercial surveillance tools into the wider cybercrime ecosystem.
Researchers recommend updating devices to the latest iOS versions, as the exploit kit does not affect newer versions of the software.
The findings highlight the growing intersection between mobile security threats and cryptocurrency theft, with attackers increasingly targeting digital wallets stored on smartphones.
