In a significant cybersecurity revelation, Google’s Threat Intelligence Group (GTIG) has exposed a new exploit kit named “Coruna” that targets Apple iPhone users, aiming to pilfer cryptocurrency wallet seed phrases. The discovery, made in February 2025, highlights the escalating sophistication of cyber threats in the crypto space.
Coruna: A Multifaceted Threat
The Coruna kit is designed to exploit iPhones running iOS versions 13.0 up to 17.2.1, leveraging five full exploit chains and a total of 23 individual exploits, some of which were previously unknown to the public. According to GTIG, the kit has been used by a suspected Russian espionage group targeting Ukrainians and later deployed on fake Chinese crypto websites.
Technical Breakdown
GTIG first identified the exploit kit through a JavaScript framework used by a surveillance company to fingerprint devices and deliver the appropriate exploit. This framework was later discovered on compromised Ukrainian websites, where it selectively targeted iPhone users from specific geographic locations. In December, the same framework was found on a large network of fake Chinese websites, primarily related to finance and crypto, including a spoofed version of the WEEX crypto exchange.
Impact and Mitigation
When an iPhone user accesses these malicious websites, the exploit kit is delivered, and it begins to hunt for financial information, analyzing texts for seed phrases and keywords like “backup phrase” or “bank account.” The kit also targets popular crypto apps such as Uniswap and MetaMask, aiming to extract sensitive information and crypto assets.
GTIG emphasized that the latest version of iOS is not vulnerable to the Coruna kit. Users are strongly advised to update their devices to the most recent software version. For those unable to update, enabling “Lockdown Mode” on their iPhone can provide an additional layer of protection against sophisticated attacks.
Origins and Attribution
The origins of the Coruna kit remain a subject of debate. While GTIG did not disclose the identity of the surveillance company’s client, iVerify, a mobile security firm, suggested that the kit could have been developed or purchased by the U.S. government. “It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the U.S. government,” said Rocky Cole, co-founder of iVerify.
However, Kaspersky’s principal security researcher noted that there is no concrete evidence to support the attribution of Coruna to the same authors. The cybersecurity community remains divided on the kit’s origins, with some experts pointing to the potential for such sophisticated tools to be repurposed by cybercriminals and state-sponsored actors.
Looking Forward
The discovery of the Coruna kit underscores the ongoing battle between cybersecurity researchers and malicious actors in the crypto space. As the use of cryptocurrency continues to grow, so does the incentive for sophisticated attacks. Users must remain vigilant and take proactive steps to secure their digital assets. For tech companies and policymakers, this incident serves as a stark reminder of the need for continuous innovation in cybersecurity measures and robust regulatory frameworks to protect users from emerging threats.
About the Author
