Google's Threat Intelligence Group (GTIG) has uncovered a sophisticated and powerful new exploit kit, dubbed "Coruna," specifically designed to target Apple iPhone users and steal cryptocurrency wallet seed phrases. The kit, which contains five full iOS exploit chains and a total of 23 exploits, targets iPhones running iOS versions 13.0 up to 17.2.1, utilizing some vulnerabilities previously unknown to the public.
GTIG first discovered the kit in February 2025, initially tracking its use by a suspected Russian espionage group against Ukrainian targets. By December 2025, the same framework was found deployed on a large set of fake Chinese websites, many related to finance, including one spoofing the crypto exchange WEEX. When a user visits these sites with a vulnerable iOS device, the kit is delivered and actively hunts for financial information, scanning text for seed phrases and keywords like "backup phrase" or "bank account."
The exploit kit also specifically seeks out popular crypto applications such as Uniswap and MetaMask to extract crypto assets or sensitive data. Google emphasizes that the kit does not work on the latest version of iOS and strongly urges all iPhone users to update their devices to the newest software. If updating is not possible, enabling Apple's "Lockdown Mode" is recommended to counter such sophisticated attacks.
The origins of the Coruna kit are debated within the security community. Mobile security firm iVerify suggested to WIRED that the toolkit's sophistication—requiring millions of dollars to develop—and its code hallmarks point to a likely origin within the U.S. government, marking a concerning case of government-grade tools being repurposed by adversaries and cybercriminals. However, researchers from Kaspersky have stated they saw no direct evidence in published reports to support attributing the code to the same authors.
