Google’s Threat Intelligence Group (GTIG) warns that a “new and powerful” iOS exploit kit, dubbed Coruna by its developers, has been deployed on fake financial and cryptographic websites to lure iPhone users to landing pages that can silently exploit them. For crypto holders, the risk is blunt: GTIG’s analysis shows that campaigns are ultimately focused on collecting seed phrases and wallet data from popular mobile apps.
Coruna targets Apple devices running iOS 13.0 to iOS 17.2.1, combining five full exploit chains and 23 exploits. GTIG says it recovered the kit after tracking its evolution through 2025, from early use by a client of a commercial surveillance firm to “waterhole” attacks on compromised Ukrainian websites and eventually to large-scale distribution via Chinese-language fraud sites linked to a financially motivated actor.
The crypto network is designed for iPhones
During the scam wave phase, GTIG says it spotted the JavaScript framework behind Coruna deployed on a “very large set” of fake Chinese websites, mostly centered around finance. One example cited by GTIG is a fake WEEX-branded crypto exchange page that tries to push visitors to an iOS device – then embeds a hidden iFrame to deliver the exploit kit “regardless of their location”.
Related reading
The delivery mechanics are important because they blur the line between traditional phishing and direct compromise of the device: according to GTIG, all it took to start the chain was to visit the trap page from a vulnerable iPhone. The framework fingerprints the device to determine the iOS model and version, then loads a WebKit-compatible remote code execution exploit and a credential authentication (PAC) gateway.
GTIG fixed a WebKit RCE to CVE-2024-23222 and noted that it was addressed by Apple in iOS 17.3 on January 22, 2024.
At the end of the chain, GTIG says Coruna is releasing a stater it calls PlasmaLoader (tracked as PLASMAGRID) and is targeting it as less on classic surveillance features and more on financial data theft. According to GTIG, the payload can decode QR codes from images stored on the device and scan blocks of text for BIP39 word sequences along with keywords like “passphrase” and “bank account,” including in Apple Memos.
Related reading
The load is also modular. GTIG says it can remotely download and manage additional modules, and many of the identified modules are designed to integrate functionality and extract sensitive information from popular crypto wallet applications – including MetaMask, Trust Wallet, Uniswap wallet, Phantom, Exodus and TON ecosystem wallets such as Tonkeeper.
The wider arc was also noted by mobile security firm iVerify, which released its findings around the same time as GTIG’s report. “And that’s exactly what happened here again, but in mobile devices. The phone OEMs are doing a good job that everyone can . . .”
What Crypto Users Can Do Now
Google says Coruna is “not effective against the latest version of iOS” and urges users to upgrade. If the update is not possible, GTIG recommends that you enable Apple Lock Mode. GTIG also says it has added certain websites and domains to Google Safe Browsing to help mitigate further exposure.
For modern crypto-users, instant transfers are practical: mobile wallets sit at the intersection of high-value assets and high-frequency internet traffic, making “visit-to-compromise” campaigns uniquely risky. The GTIG report shows that the scam wasn’t just about getting victims to connect wallets, it was about getting them onto the right device, on the right iOS version, so the exploit could do the rest.
At press time, the total crypto market cap was $2.45 trillion.
Featured image created with DALL.E, chart from TradingView.com
