Market News

Your iPhone Could Be a Crypto Thief’s Target: Google Exposes ‘Coruna’ Exploit Kit

Google has exposed "Coruna," iPhone exploit framework that began life as nation-state surveillance software and has since been repurposed to silently drain cryptocurrency wallets at an unprecedented scale.

Written By:
Dhara Chavda

Reviewed By:
Divya Mistry
Your iPhone Could Be a Crypto Thief's Target Google Exposes 'Coruna' Exploit Kit

Key Highlights

  • The “Coruna” kit bundles 23 individual exploits into 5 full chains, targeting every iPhone and iPad running iOS 13.0 through iOS 17.2.1.
  • Updating to iOS 17.3 or later (current: iOS 26) renders Coruna entirely ineffective; enabling Lockdown Mode causes the malware to self-terminate on contact.

Google’s Threat Intelligence Group (GTIG) published what security researchers are already calling one of the most alarming mobile threat disclosures in years. The report detailed the inner workings of a fully operational iPhone exploit kit, internally dubbed “Coruna” and also tracked under the alias CryptoWaters—a name that hints at its ultimate purpose.

The kit is not novel in the technical sense; the iPhone exploit ecosystem is a well-documented, multi-billion-dollar underground market. What makes Coruna exceptional, and alarming, is its trajectory. A tool precision-engineered for covert government surveillance has been commoditized, repurposed, and is now being unleashed against ordinary cryptocurrency holders at a scale previously unseen in the mobile threat landscape.

The three faces of a roaming weapon

Google’s report traces a remarkable, almost cinematic chain of custody for the Coruna codebase. The same exploit framework appears to have passed through the hands of three distinct threat actors over the course of roughly 12 months—each with starkly different motivations.

The earliest documented use, in February 2025, was by a customer of an unnamed private surveillance vendor—a company operating in the same grey-market space as NSO Group, maker of the infamous Pegasus spyware. This phase was characterized by the narrow, high-value targeting typical of commercial spyware: politicians, journalists, and dissidents.

By the summer of 2025, however, GTIG detected the same exploit chains in a geopolitically charged context. The group designated UNC6353, assessed with moderate-to-high confidence to be Russian government-aligned, was using Coruna to target Ukrainian citizens and infrastructure personnel. The tool had moved from commerce to statecraft.

Then, in late 2025 and into early 2026, a Chinese-speaking financially motivated cybercrime group, tracked as UNC6691, acquired the kit and pivoted its targeting entirely. The goal was no longer surveillance. It was theft—specifically, the theft of Bitcoin and other digital assets from unsuspecting iPhone users.

The ‘watering hole’ infrastructure

UNC6691 deployed Coruna not through phishing emails or infected app downloads—vectors that most users have been trained to distrust—but through a more insidious technique known as a “watering hole” attack. Rather than chasing victims, the attackers poisoned the wells that victims habitually visit.

The group constructed convincing counterfeit versions of popular cryptocurrency exchanges and financial platforms. A documented example is a spoofed version of WEEX, a legitimate crypto trading platform. These fake sites are designed to be functionally indistinguishable from their real counterparts, often surfacing through search engine optimization or paid promotion channels.

When an iPhone user lands on one of these pages, a concealed iFrame executes a device fingerprinting routine. The script silently checks the iOS version. If the device is running iOS 17.2.1 or any earlier version—stretching all the way back to iOS 13.0 — the exploit chain fires automatically. No tap, no download, no interaction required. Some sites even displayed prompts actively encouraging users to switch to an iOS device for a “better experience,” funneling additional vulnerable targets toward the exploit.

Steps for iPhone users to protect themselves

The defensive picture, while sobering, is not without clear and actionable remedies. Google’s report and subsequent analysis by independent researchers point to four priority actions:

  1. Update iOS Immediately: Coruna is entirely ineffective against iOS 17.3 and later (current release: iOS 26). Any device updated within the past year is protected.
  2. Enable Lockdown Mode: Google confirmed that Coruna’s PlasmaLoader automatically self-terminates upon detecting Lockdown Mode is active. This is the single most effective real-time defense.
  3. Use a Hardware Wallet: Private keys stored on a hardware wallet (Ledger, Trezor) never touch the iOS environment. Even a fully compromised iPhone cannot access funds secured offline in this manner.
  4. Purge Sensitive Photos: PlasmaLoader scans photo galleries for wallet QR codes. Delete any images containing seed phrases, private keys, or wallet backup codes—or store them only on offline media.

Security researchers also note that Coruna skips execution when it detects the user is in a private or incognito browsing session—an apparent anti-forensics measure to reduce the digital footprint of the attack. While this is not a reliable or recommended primary defense, it is an interesting behavioral signature that may assist incident responders in attribution.

Also Read: India Digital Arrest Scam Routes ₹10.74 Cr via Crypto Exchanges

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Dhara Chavda- Crypto Research Analyst at The Crypto Times
By Dhara Chavda
Follow:
Dhara Chavda is a Content Strategist and Research Analyst with 5 years of experience in the crypto industry. She holds a Bachelor’s degree in Computer Engineering and brings a strong technical perspective to her work. Dhara specializes in DeFi, price analysis, and the core mechanics of cryptocurrencies. She also works on crypto news, including research, analysis, and assigning stories, ensuring accurate and timely coverage of key developments in the space.
Divya Mistry - Content Editor at The Crypto Times
By Divya Mistry
Follow:
Divya Mistry is a Sr. Content Editor with over 9 years of experience in news, PR, marketing, and research. Armed with a Master’s Degree in English Literature from the University of Mumbai, she specializes in crafting and refining long-form content across digital and print platforms. Over the years, Divya has contributed to and shaped content for leading brands across a range of industries, including real estate, healthcare, vertical transport, entertainment, lifestyle, education, EdTech, tech, and finance. Her research work has been featured on platforms like DNA India, Forbes, and Elevator World India. She now brings her editorial and research skills to explore the rapidly evolving world of cryptocurrency.

Latest News

Fed Shock Hits Crypto Stocks as MSTR, COIN, MARA, BMNR Crash
Fed Shock Hits Crypto Stocks as MSTR, COIN, MARA, BMNR Crash
Bitcoin Slips Below $65K After Fed Keeps Interest Rates Unchanged
Bitcoin Slips Below $65K After Fed Keeps Interest Rates Unchanged
FOMC Decision Wipes Out $122M as BTC & ETH Liquidations Surge
FOMC Decision Wipes Out $122M as BTC & ETH Liquidations Surge
UXLINK Exploiter Moves 8,340 ETH—Then Sends It to Tornado Cash
UXLINK Exploiter Moves 8,340 ETH—Then Sends It to Tornado Cash
BitGo Places $50M Bet on Its Shares Through Buyback Program
BitGo Places $50M Bet on Its Shares Through Buyback Program

Find Us on Socials

You may also like