Synopsis: Researchers say fake crypto websites deployed an iOS exploit kit capable of stealing wallet seed phrases and other financial data. Let’s dive deep into this issue.
A dangerous hacking tool is quietly targeting iPhone users around the world. Google’s Threat Intelligence Group (GTIG) published a report on March 3, 2026, exposing the threat. The kit steals crypto wallet seed phrases and sensitive financial data. Criminals hide it inside fake websites to deliver it.
The tool is called “Coruna.” Its own developers gave it that name. GTIG says it attacks iPhones running iOS 13.0 through 17.2.1. That covers devices from September 2019 to December 2023. Millions of iPhone users fall within that range.
Furthermore, the kit is highly capable. It contains five full exploit chains and 23 individual exploits. Several of those were unknown to the public before Google found them. This level of sophistication is rare even among state-sponsored tools.
How the Kit Targets Crypto Users Through Fake Sites
Coruna does not spread through app downloads or emails. Instead, attackers hide it inside fake websites. These sites pretend to be crypto exchanges or financial platforms. One fake site even copied the real crypto exchange WEEX.
When someone visits one of these sites on an iPhone, the attack begins silently. A hidden code scans the device and delivers the right exploit automatically. The user clicks nothing suspicious. The attack simply runs in the background.
After gaining access, the kit searches the device for financial information. It looks for texts containing keywords like “backup phrase,” “seed phrase,” or “bank account.” It also scans images for QR codes. Additionally, it directly targets popular crypto apps. MetaMask, Uniswap, BitKeep, OKEx, and Coin98 are all on its list.
Therefore, users who store seed phrases digitally face the greatest risk. The kit reads those phrases and sends them back to the attackers. Once criminals get a seed phrase, they can drain a wallet completely.
From Government Tool to Criminal Weapon
Coruna did not begin as a criminal tool. GTIG traced its journey across three stages. In February 2025, Google first spotted Coruna being used by a customer of a commercial surveillance company. It targeted specific individuals at that point. By July 2025, a suspected Russian espionage group repurposed it. They launched attacks on Ukrainian websites. Then in December 2025, a financially motivated Chinese cybercrime group adopted it for mass-scale crypto phishing.
This progression alarmed security researchers. Advanced hacking tools usually stay in tightly controlled circles. However, Coruna moved from surveillance to espionage to open criminal activity within a single year. As a result, thousands of iPhones were likely compromised.
Rocky Cole, co-founder of mobile security firm iVerify, told WIRED that the kit cost millions of dollars to develop. He said it bears the hallmarks of tools previously linked to the US government. “This is the first example we’ve seen of very likely US government tools spinning out of control,” he said.
Also Read: Bitcoin’s Rally Is Running Out of Road. Here’s Why
Did the US Government Build This?
Not everyone agrees on Coruna’s origins. GTIG did not name the surveillance company connected to it. Nevertheless, iVerify believes it may have been built or bought by the US government.
Kaspersky’s principal security researcher pushed back. The researcher told The Register there is no evidence of actual code reuse to connect Coruna to US government authors. The debate, therefore, remains unresolved.
Regardless of where it came from, Coruna is now in criminal hands. Moreover, it is actively targeting everyday crypto users not just high-profile individuals.
What iPhone Users Should Do Right Now
Google urged all iPhone users to act immediately. Coruna does not work on the latest iOS versions. Updating your phone closes the door on this exploit entirely.
If updating is not possible, Apple recommends enabling Lockdown Mode. This feature counters sophisticated attacks on older devices. Users should also avoid clicking unsolicited links to crypto or finance websites. Never enter a seed phrase on any site you did not actively seek out yourself.
For extra safety, store seed phrases on a hardware wallet rather than digitally. The kit specifically searches messages, notes, and photos for those phrases. Deleting stored seed phrases from your device removes a key target.
Coruna marks a troubling new shift in iOS attacks. Tools once aimed at politicians and executives are now being used against ordinary crypto users at scale. Accordingly, the threat is no longer distant it is on the phones people use every day.
Written by Fazal Ul Vahab C H
