The iPhone exploit kit governments built is now stealing your crypto

Somewhere right now, a website you might visit tomorrow is silently probing your iPhone, checking its iOS version, confirming Lockdown Mode is off, and preparing to deliver one of 23 exploits designed to crack your device wide open. No tap required. No suspicious link to click. Just a webpage.

The toolkit that was never supposed to leave the building

Security researchers at Google's Threat Intelligence Group and mobile security firm iVerify have independently confirmed the existence of Coruna: a military-grade iPhone hacking toolkit containing five complete exploit chains and 23 separate vulnerabilities. The kit targets every iPhone running iOS 13 through 17.2.1, which covers models released between September 2019 and December 2023.

The code is written in native English with extensive documentation, including internal comments that read like a developer's handbook. iVerify's reverse engineering concluded the toolkit "appears to have been built on the same foundations as known US government hacking tools." It shares modules with Operation Triangulation, the 2023 campaign that Russia attributed to the NSA after it was used against Kaspersky researchers.

Building something like this costs millions. It was never meant for public circulation.

From spies to thieves: how government weapons went retail

Google tracked Coruna's migration through three distinct phases. In February 2025, it appeared in the hands of a surveillance company's customer, a standard government intelligence operation. By July 2025, it had surfaced in watering hole attacks on Ukrainian websites, embedded as hidden iFrames by UNC6353, a suspected Russian espionage group. The exploit code was served selectively: only iPhones from specific geolocations received the payload.

Then something shifted. By December 2025, Coruna showed up on fake Chinese cryptocurrency and gambling websites. The payload had been rewritten entirely. Instead of surveillance implants, the stager binary now searched victims' phones for crypto wallet apps like Metamask and BitKeep, hunted for keywords like "backup phrase" and "bank account," and exfiltrated recovery seeds and exchange credentials.

The result: 42,000 iPhones compromised, a number iVerify called "massive" for iOS. This is the first documented case of a criminal group using nation-state-grade exploit tools for mass financial theft on mobile devices.

The secondhand exploit economy nobody talks about

How did a toolkit built for a US government contractor end up in the hands of Russian spies and Chinese crypto thieves? Google's report is blunt: the answer remains unclear, but the pattern "suggests an active market for secondhand zero-day exploits."

This is not an isolated incident. Google's latest threat report found 90 zero-day vulnerabilities exploited in 2025, up from 78 the year before. For the first time, commercial surveillance vendors were responsible for more attributed zero-day exploitation than traditional state-sponsored groups, directly exploiting 15 vulnerabilities. The supply chain for digital weapons is globalizing, and the buyers are no longer just governments.

The specific CVEs in Coruna tell the story: CVE-2024-23222, a WebKit flaw patched in early 2024; CVE-2022-48503, added to CISA's Known Exploited catalog in October 2025; and CVE-2023-38606, one of the Operation Triangulation exploits from 2023. Old vulnerabilities, still lethal on unpatched devices.

What this means for your iPhone right now

Coruna specifically avoids two things: devices running the latest iOS version and devices with Lockdown Mode enabled. The hidden JavaScript framework checks both before deploying any exploit. If either condition is met, it aborts silently.

Your defense is straightforward but urgent. Update your iPhone to the latest iOS version immediately. Every device still running iOS 17.2.1 or earlier is a potential target. Enable Lockdown Mode if you handle sensitive financial data or travel to high-risk regions. And recognize that the old assumption ("iPhones don't get hacked") died the moment a government's own weapons went retail.

The 42,000 devices already compromised got hit by visiting a single webpage. The next wave of attacks using these tools is not a matter of if. It is a matter of which website.