Security researchers at Google say they have discovered a new exploit kit targeting Apple iPhone users, designed to steal cryptocurrency wallet seed phrases.
The toolkit, called “Coruna” by its developers, targets iPhones running iOS versions 13.0 through 17.2.1. According to a report released Wednesday by the Google Threat Intelligence Group (GTIG), the kit contains five complete iOS exploit chains and 23 total exploits, including several that had not previously been disclosed publicly.
GTIG said it first detected the exploit kit in February 2025 and has since observed it being used by a suspected Russian espionage group targeting Ukrainian users. Researchers later found it linked to fake Chinese cryptocurrency websites designed to steal digital assets.
The group noted that the exploit kit does not work on the latest version of iOS and urged iPhone users to update their devices to the newest software. For those unable to update, enabling Lockdown Mode — a security feature provided by Apple — can help defend against advanced cyberattacks.
Fake sites used to deliver the exploit
GTIG said it initially identified parts of the exploit in February 2025 when a surveillance company’s client used JavaScript to fingerprint a device and deliver the appropriate exploit.
Later in the year, researchers found the same JavaScript framework embedded on several compromised Ukrainian websites. The malicious code was configured to target only specific iPhone users located in certain geographic regions.
According to the Google Threat Intelligence Group (GTIG), the same exploit framework was later discovered in December on a large network of fake Chinese websites, many posing as financial platforms. One of the sites even impersonated the cryptocurrency exchange WEEX.
When an iPhone user visits these sites, the framework deploys the exploit kit and searches the device for financial data. It scans messages for sensitive terms such as “backup phrase” or “bank account,” attempting to capture cryptocurrency wallet seed phrases.
The malware also targets widely used crypto applications like Uniswap and MetaMask, aiming to extract digital assets or other sensitive information.
Debate over possible US intelligence links
GTIG did not reveal the identity of the surveillance company customer believed to be connected to the exploit kit. However, mobile security firm iVerify told WIRED that the toolkit may have been developed or acquired by the United States government.
“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” iVerify co-founder Rocky Cole said.
Cole added that this could represent the first case where tools likely originating from US government development — based on analysis of the code — have spread beyond their intended use and ended up in the hands of adversaries and cybercriminal groups.
However, a principal security researcher at Kaspersky told The Register that there is currently no clear evidence in published reports showing code reuse that would link Coruna to the same developers.
