Coruna iPhone Exploit Targets Crypto Wallets, Security Researchers Warn
In Brief
Cybersecurity researchers have uncovered the Coruna exploit kit, a sophisticated toolkit that targets iPhones running iOS 13–17.2.1 to steal cryptocurrency wallet credentials through multiple zero-day vulnerabilities.
Researchers on cybersecurity have discovered a potent hacking toolkit, which can bypass the security system of Apple iPhones and steal cryptocurrency out of the wallet of the user. The exploit kit is called Coruna and exploits several vulnerabilities in the Apple mobile operating system and has already been deployed in espionage and monetarily motivated cybercriminal activities.
Google Threat Intelligence Group security researchers discovered that the Coruna framework has 23 different exploits bundled into multiple attack chains that enable hackers to attack the devices using older versions of Apple mobile software. After the deployment, the malware scans devices with sensitive data, such as cryptocurrency wallet and banking credentials.
The finding underscores the increasing risks for cryptocurrency consumers who use mobile wallets to store digital assets at risk. With mobile trading and decentralized finance apps becoming more and more popular, attackers are starting to target smartphones as a point of access to digital funds through them.
A Sophisticated Toolkit With Multiple Attack Paths
The Coruna exploit kit is regarded as one of the most sophisticated iPhone attack structures ever reported publicly. Security experts indicate that the toolkit can attack devices operating versions of the Apple operating system, including iOS 13 through iOS 17.2.1, which is applicable to iPhones released between 2019 and the end of 2023.
Instead of having one vulnerability, Coruna combines 23 different exploits in 5 entire attack chains, allowing it to overcome several levels of security protection at Apple.
The attack does not, in many instances, need any form of interaction since it only involves visiting a malicious site. After the compromised page is loaded on a vulnerable device, the concealed exploit code is automatically executed, enabling the attacker to take control of the phone and install malware.
The first fingerprints the gadget to determine the model of iPhone and the type of operating system in use. It then chooses the right exploit chain to compromise security measures and install malicious software.
Crypto Wallets Become a Primary Target
Once the device has been compromised, the malware aims at stealing valuable data, especially cryptocurrency credentials. According to investigators, the implant scans messages, notes, and application data to find keywords based on crypto recovery phrases.
The malware searches specifically for the words mnemonic phrase, backup phrase, and bank account that are generally linked with wallet recovery programs. When such phrases are discovered, the attackers can use them to get back the wallet of the victim on a different device and have full access to the money.
According to researchers, the exploit kit is targeting numerous popular decentralized wallet apps, such as platforms that link users to decentralized finance protocols and trading platforms.
The reports indicate that at least 18 crypto applications would support such kind of data extraction when they are installed on the compromised devices. After the malware collects sensitive data, it transmits the data to remote command-and-control servers controlled by attackers so that they can empty the wallets of the affected persons within a short time.
From Espionage Tool to Criminal Weapon
The way the Coruna exploit kit spread to various threat actors is one of the most alarming issues regarding the Coruna exploit kit. According to investigators, the framework was first noted in 2025 as part of directed surveillance activities associated with a client of a commercial spyware.
Additionally in the same year, the same exploit infrastructure was used in the so-called watering hole attacks of Ukrainian websites, in an attack orchestrated by a purported Russian spy group.
By 2025, the toolkit re-emerged in financially focused operations by cybercriminal organizations with fake cryptocurrency and gambling sites.
Security researchers assume that the hackers installed the exploit kit on hundreds of rogue websites, where tens of thousands of devices were infected, and the user information about the crypto wallets was stolen by the attackers. The development of the toolkit shows how the best cyber-espionage technologies may finally find their way to the rest of the criminal ecosystem.
A Growing Market for Zero-Day Exploits
Security analysts note that Coruna is indicative of an even bigger trend in the cybersecurity sector. The development of an underground market in advanced hacking equipment.
More sophisticated exploit frameworks built by governments to spy on their citizens or gather intelligence data occasionally make it into the hands of individual vendors or black markets, eventually falling into the hands of cybercriminals.
It has recently been reported that Coruna can go as far as be compared to the previous high-profile iPhone surveillance efforts like Operation Triangulation, which exploited still undisclosed vulnerabilities to compromise Apple devices.
The fact that these tools have moved out of the espionage sphere to financial cybercrime is of concern, considering the fact that the advanced exploits can reach the underground markets very fast.
Apple Devices Not Immune to Large-Scale Attacks
Over the years, the mobile ecosystem of Apple has been seen as safer compared to most other rival systems because of a highly restrictive application environment and closed hardware-software system.
Nevertheless, cases such as Coruna show that the most secure systems may be breached in the event that attackers can access more than one zero-day vulnerability.
The design of the exploit kit is especially worrying, according to security analysts, since this will enable the term mass exploitation and not targeted surveillance. A single rogue site would infect any susceptible machine that visits the site.
According to the experts, this is particularly dangerous to those who use cryptocurrency and regularly use decentralized applications, token claim pages, or third-party trading service providers, as crypto scams continue to grow.
Protection Measures and Apple’s Response
Luckily, researchers indicate that in the newer releases of its operating system, Apple already addressed the vulnerabilities that Coruna exploited.
It is not suspected that the exploit kit can affect users using the latest versions of iOS. iPhone users have been advised by their security teams to upgrade their phones to the latest release of iOS at once. The vulnerabilities that enable Coruna to access the system at the first point are eliminated by the update.
To protect their devices, the experts also suggest turning on the Lockdown Mode, which is an option on Apple devices and only allows users to avoid advanced spyware intrusion in case they cannot update their devices. Coruna, as researchers claim, automatically suspends its running in case Lockdown Mode is detected on a device.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
