Google uncovers iOS exploit kit used in crypto phishing attacks
Threat researchers at Google say they have uncovered a new exploit kit targeting Apple iPhone users, aimed at stealing crypto wallet seed phrases.
The kit, named “Coruna” by its developers, targets iPhones running iOS versions 13.0 up to 17.2.1. It has “five full iOS exploit chains and a total of 23 exploits,” including ones that were previously unknown to the public, the Google Threat Intelligence Group (GTIG) said in a report on Wednesday.
The group said it first discovered the kit in February 2025 and has since tracked its use by a suspected Russian espionage group against Ukrainians, and later on fake Chinese crypto websites that aim to steal crypto.
GTIG said the kit doesn’t work with the latest version of iOS and urged iPhone users to update their devices to the latest software version. If that isn’t possible, users should put the phone in “Lockdown Mode,” which Apple says can counter sophisticated attacks.
Kit targets crypto via fake websites
GTIG said it came across parts of an iOS exploit in February 2025 in which a customer of a surveillance company used JavaScript to fingerprint the device to deliver the appropriate exploit.
Later that year, it found the same JavaScript framework hidden on multiple compromised Ukrainian websites that was “only delivered to selected iPhone users from a specific geolocation.”
GTIG said it then found the same framework in December “on a very large set of fake Chinese websites mostly related to finance,” including one that spoofed the crypto exchange WEEX.
When a user accesses the websites with an iOS device, the framework delivers the exploit kit and hunts for financial information, including analyzing texts containing seed phrases and keywords such as “backup phrase” or “bank account.”
Related: ‘ClickFix’ hackers pose as VCs, hijack QuickLens in latest crypto attacks
The kit also seeks out popular crypto apps, including Uniswap and MetaMask, to extract crypto or sensitive information.
Coruna’s US intelligence origins debated
GTIG did not name the customer of the surveillance company from which the exploit kit is said to have originated, but the mobile security company iVerify told WIRED it could have been built or bought by the US government.
“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” iVerify co-founder Rocky Cole told WIRED.
“This is the first example we’ve seen of very likely US government tools — based on what the code is telling us — spinning out of control and being used by both our adversaries and cybercriminal groups.”
However, Kaspersky’s principal security researcher told The Register that the cybersecurity company saw “no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors.”
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
About Author
