Google’s Threat Intelligence Group has disclosed a new iOS exploit kit, dubbed “Coruna,” which has been deployed to compromise cryptocurrency wallets and other financial data on Apple devices. The kit targets iPhones running iOS 13 through 17.2.1, leveraging five exploit chains and 23 vulnerabilities, including previously undisclosed zero-day exploits. Google first identified Coruna in February 2025 and has tracked its use on compromised Ukrainian websites and later on fake Chinese crypto platforms.
The attack framework employs JavaScript to fingerprint devices, delivering exploits only to selected users based on geolocation. Once executed, the kit searches for sensitive information, including wallet seed phrases, banking details, and text containing keywords like “backup phrase.”
It also targets popular crypto applications such as MetaMask and Uniswap to extract private data. Researchers warned that users running older iOS versions are particularly vulnerable and recommended updating devices or using Apple’s Lockdown Mode to mitigate the risk. The origins of Coruna remain debated. Mobile security analysts suggest it may have been developed or acquired by a government surveillance entity in the US, citing its technical sophistication and resource-intensive development. However, independent cybersecurity experts caution that no conclusive evidence links the code to any specific intelligence agency.
