Previously, state-sponsored cyber weapons were reserved for targeting dissidents, diplomats, and high-value political targets. Not anymore. In an alarming twist to the mobile security landscape, Google’s Threat Analysis Team (TAG) has uncovered a sophisticated set of iPhone cryptographic scams being used to empty simple wallets.
The malware, dubbed ‘Coruna’, marks a dangerous change: tools originally designed for spying are now being used to steal your private keys.
Lunaray Security Notice
Google threat researchers have discovered a new exploit tool called #Corona for Apple iPhones that can steal mnemonic phrases from cryptocurrency wallets, affecting devices running iOS 13.0 to 17.2.1.
Please be careful!
— Lunaray (@lunaray_co) March 5, 2026
Discover: Protect your assets with our guide to the best Bitcoin desktop wallets
iPhone Crypto Scam: How Coruna Malware Works
Most crypto scams rely on you making a mistake, such as clicking on a bad link or signing a bad deal. The Coruna malware, a crypto scam that works on iPhones running older software versions, is different because it doesn’t need your permission to log in. The Google TAG report explains how this exploit kit is deployed on fake websites impersonating legitimate services, such as the WEEX crypto exchange.
When a user accesses one of these compromised sites via a vulnerable iPhone (running iOS versions 13.0 to 17.2.1), the kit inadvertently captures the device’s fingerprints. If the software is outdated, it sets up a complex exploit chain to gain deep access to the phone’s system.
Once inside, malware doesn’t just sit there. He is actively hunting. It scans your device for specific apps like MetaMask, BitKeep and Phantom. It searches your photos and notes for keywords like “password,” “seed,” or “bank account.” The goal is to hack a silent crypto wallet: transfer your recovery keys to a remote server before you even realize your funds are at risk.
DISCOVER: The next possible 1000x crypto in 2026
From Spies to Scammers: A Dangerous Model
This development confirms a trend we’ve been warning about for years: advanced cyber tools are finally moving from governments to criminals. Google TAG researchers tracked the emergence of Corona as early as 2025 from commercial surveillance vendors. It was later found to have been used by alleged Russian spy groups targeting Ukraine. Now, it has fallen into the hands of financially motivated crypto thieves.
It’s the digital equivalent of military-grade equipment sold to street gangs on the black market. We are quickly observing the commercialization of zero-day exploits. Just as we’ve seen recent cases of organized crypto fraud rings expanding their operations, the arrival of Coruna shows that these groups no longer rely solely on social engineering. They buy or reuse tools that can completely bypass the security of the operating system.
Organized crime groups now operate with the sophistication previously reserved for nation states and want to collect personal data at scale.
DISCOVER: 5 high-risk cryptos
Who is at risk and how to know if you are
If you use an iPhone that is focused on trading or crypto storage, you should immediately pay attention to your iOS security settings. The Coruna exploit specifically targets devices with iOS versions older than 17.2.1. The first thing you can do: check if your iPhone has been updated to the latest version.
The scariest part of this exploitation is the silence. Unlike a phishing email where you can see the error, this attack happens in the background. If you have recently visited shady gambling sites, pop-up exchange offers, or new untrustworthy crypto aggregators, your device could have been fingerprinted.
This shows the importance of managing your private keys. As discussed in relation to the future security architecture, reliance on mobile phone software wallets, especially on older operating systems, is becoming more and more neglected.
If your seed phrase is saved in a screenshot in your Photos app or typed in the Notes app, Corona can find it, encrypt it, and pass it on to attackers.
Discover: The best hardware wallets to store your crypto
Follow 99Bitcoins on X for the latest market updates and subscribe on YouTube for daily market expert analysis.
Post iPhone Crypto Scam? Google Alerts Nation-State Wallet Drainer appeared first on 99Bitcoins.
