Bold warning: a highly sophisticated iPhone hacking toolkit appears to have wandered from government hands into the broader world, landing with criminals and foreign spies and potentially changing how we think about mobile security.
A powerful iPhone exploitation method—used to silently hijack iOS devices when users simply visit a compromised website—has evolved from a rare, controlled tool into something that’s now circulating more widely. Google researchers describe this toolkit, named “Coruna,” as a collection of five complete attack techniques capable of bypassing iPhone defenses and covertly installing malware during website visits. In all, Coruna can exploit 23 distinct iOS vulnerabilities, indicating it was crafted by a well-resourced group, likely state-sponsored.
What makes this story particularly unsettling is the path Coruna has traveled. Google traces components back to an early version used in February last year by a so-called “customer of a surveillance company.” Five months later, a more complete Coruna reappeared in an espionage operation tied to a suspected Russian intelligence group, which embedded the hacking code in a normal visitor-counting element on Ukrainian websites. Then, in a separate thread, Coruna showed up in a for-profit cybercrime campaign targeting Chinese-language crypto and gambling sites to steal cryptocurrency.
One notable omission in Google’s report is the identity of the original surveillance customer. iVerify, another security firm that studied a variant of Coruna found on infected Chinese sites, suggests the toolkit may have originated as a hacking kit purchased or developed for the U.S. government. Both Google and iVerify point to connections with earlier work known as “Triangulation,” a set of exploits previously associated with a 2023 operation against Russia’s Kaspersky Lab, which Russia blamed on the NSA. The U.S. government has not commented on this claim.
English-speaking developers appear to have written at least parts of Coruna, according to iVerify’s observations. The toolkit is described as highly sophisticated, modular, and capable of costing millions to develop, with some modules matching components publicly attributed to U.S. government use. This has led to a provocative takeaway: if Coruna originated as a government tool, its leakage could empower adversaries and criminals alike.
An important takeaway from Google is that Apple has already patched the vulnerabilities used by Coruna in iOS updates released after the toolkit’s discovery. The confirmed exploits work on iOS versions 13 through 17.2.1 and target Safari via the WebKit framework. The researchers note that there’s no confirmed method in Coruna for targeting Chrome users, and the toolkit checks for Lockdown Mode, abstaining if that strongest protection is enabled.
iVerify’s assessment suggests tens of thousands of devices were likely infected by the cybercriminal variant. Their analysis of network traffic, in collaboration with a partner, indicates roughly 42,000 devices connected to a command-and-control server associated with the for-profit Coruna campaign targeting Chinese-speaking victims.
The total number of victims beyond those infections—whether Ukrainians visiting compromised sites or others—is still unclear. Google declined further comment beyond the published findings, and Apple has not issued a public response.
A single, highly professional author behind the toolkit emerges as a key theme in the investigations. iVerify’s leaders describe the codebase as well-structured and cohesive, suggesting it was written by a single author or team rather than assembled piecemeal. This quality, combined with overlaps with earlier work and the apparent sophistication, prompts the view that Coruna could be a misappropriated tool rather than a brand-new creation.
There’s a broader, troubling parallel here with past incidents: when powerful, previously controlled hacking tools slip into the hands of the wrong actors, they can proliferate through brokers and be repurposed for espionage or crime. A notable real-world example cited is the sale of zero-day exploits by brokers, which can reach a wide market of buyers and often without strict exclusivity. In one high-profile case, a government contractor’s executive was sentenced for selling such tools to a Russian broker, with implications for both intelligence work and public security.
The bottom line: whether Coruna began as a U.S. government toolkit or emerged from another origin, its journey into criminal and foreign hands highlights an era where highly capable malware can move quickly across borders and sectors. Experts warn that this is an “eternal blue moment” for mobile malware—the moment mobile devices become a contested front in global cyber conflict, much like that famous Windows-era exploit once leaked and weaponized.
What do you think about the idea that government-developed hacking tools can leak into the open market? Does this change how you view device security, vendor responsibility, or national cyber policy? Share your thoughts in the comments.
