Coruna iPhone Exploit Targets Crypto Wallets, Security Researchers Warn

In Brief

Cybersecurity researchers have uncovered the Coruna exploit kit, a sophisticated toolkit that targets iPhones running iOS 13–17.2.1 to steal cryptocurrency wallet credentials through multiple zero-day vulnerabilities.

Researchers on cybersecurity have discovered a potent hacking toolkit, which can bypass the security system of Apple iPhones and steal cryptocurrency out of the wallet of the user. The exploit kit is called Coruna and exploits several vulnerabilities in the Apple mobile operating system and has already been deployed in espionage and monetarily motivated cybercriminal activities.

Google Threat Intelligence Group security researchers discovered that the Coruna framework has 23 different exploits bundled into multiple attack chains that enable hackers to attack the devices using older versions of Apple mobile software. After the deployment, the malware scans devices with sensitive data, such as cryptocurrency wallet and banking credentials.

The finding underscores the increasing risks for cryptocurrency consumers who use mobile wallets to store digital assets at risk. With mobile trading and decentralized finance apps becoming more and more popular, attackers are starting to target smartphones as a point of access to digital funds through them.

A Sophisticated Toolkit With Multiple Attack Paths

The Coruna exploit kit is regarded as one of the most sophisticated iPhone attack structures ever reported publicly. Security experts indicate that the toolkit can attack devices operating versions of the Apple operating system, including iOS 13 through iOS 17.2.1, which is applicable to iPhones released between 2019 and the end of 2023.

Instead of having one vulnerability, Coruna combines 23 different exploits in 5 entire attack chains, allowing it to overcome several levels of security protection at Apple.

The attack does not, in many instances, need any form of interaction since it only involves visiting a malicious site. After the compromised page is loaded on a vulnerable device, the concealed exploit code is automatically executed, enabling the attacker to take control of the phone and install malware.

The first fingerprints the gadget to determine the model of iPhone and the type of operating system in use. It then chooses the right exploit chain to compromise security measures and install malicious software

Crypto Wallets Become a Primary Target

Once the device has been compromised, the malware aims at stealing valuable data, especially cryptocurrency credentials. According to investigators, the implant scans messages, notes, and application data to find keywords based on crypto recovery phrases.

The malware searches specifically for the words mnemonic phrase, backup phrase, and bank account that are generally linked with wallet recovery programs. When such phrases are discovered, the attackers can use them to get back the wallet of the victim on a different device and have full access to the money.

According to researchers, the exploit kit is targeting numerous popular decentralized wallet apps, such as platforms that link users to decentralized finance protocols and trading platforms.

The reports indicate that at least 18 crypto applications would support such kind of data extraction when they are installed on the compromised devices. After the malware collects sensitive data, it transmits the data to remote command-and-control servers controlled by attackers so that they can empty the wallets of the affected persons within a short time.

From Espionage Tool to Criminal Weapon

The way the Coruna exploit kit spread to various threat actors is one of the most alarming issues regarding the Coruna exploit kit. According to investigators, the framework was first noted in 2025 as part of directed surveillance activities associated with a client of a commercial spyware.

Additionally in the same year, the same exploit infrastructure was used in the so-called watering hole attacks of Ukrainian websites, in an attack orchestrated by a purported Russian spy group.

By 2025, the toolkit re-emerged in financially focused operations by cybercriminal organizations with fake cryptocurrency and gambling sites.

Security researchers assume that the hackers installed the exploit kit on hundreds of rogue websites, where tens of thousands of devices were infected, and the user information about the crypto wallets was stolen by the attackers. The development of the toolkit shows how the best cyber-espionage technologies may finally find their way to the rest of the criminal ecosystem.

A Growing Market for Zero-Day Exploits

Security analysts note that Coruna is indicative of an even bigger trend in the cybersecurity sector. The development of an underground market in advanced hacking equipment.

More sophisticated exploit frameworks built by governments to spy on their citizens or gather intelligence data occasionally make it into the hands of individual vendors or black markets, eventually falling into the hands of cybercriminals.

It has recently been reported that Coruna can go as far as be compared to the previous high-profile iPhone surveillance efforts like Operation Triangulation, which exploited still undisclosed vulnerabilities to compromise Apple devices.

The fact that these tools have moved out of the espionage sphere to financial cybercrime is of concern, considering the fact that the advanced exploits can reach the underground markets very fast.

Apple Devices Not Immune to Large-Scale Attacks

Over the years, the mobile ecosystem of Apple has been seen as safer compared to most other rival systems because of a highly restrictive application environment and closed hardware-software system.

Nevertheless, cases such as Coruna show that the most secure systems may be breached in the event that attackers can access more than one zero-day vulnerability.

The design of the exploit kit is especially worrying, according to security analysts, since this will enable the term mass exploitation and not targeted surveillance. A single rogue site would infect any susceptible machine that visits the site.

According to the experts, this is particularly dangerous to those who use cryptocurrency and regularly use decentralized applications, token claim pages, or third-party trading service providers, as crypto scams continue to grow.

Protection Measures and Apple’s Response

Luckily, researchers indicate that in the newer releases of its operating system, Apple already addressed the vulnerabilities that Coruna exploited.

It is not suspected that the exploit kit can affect users using the latest versions of iOS. iPhone users have been advised by their security teams to upgrade their phones to the latest release of iOS at once. The vulnerabilities that enable Coruna to access the system at the first point are eliminated by the update.

To protect their devices, the experts also suggest turning on the Lockdown Mode, which is an option on Apple devices and only allows users to avoid advanced spyware intrusion in case they cannot update their devices. Coruna, as researchers claim, automatically suspends its running in case Lockdown Mode is detected on a device.