Leaked iPhone exploit kit linked to US tools hits 42,000 devices

A powerful iPhone hacking toolkit capable of silently compromising devices has moved from a government-linked surveillance operation into espionage campaigns and criminal cryptocurrency theft networks, according to research from Google and mobile security firm iVerify. The toolkit, known as Coruna, contains a collection of advanced exploits designed to bypass iPhone security protections when a user simply visits a malicious webpage.

Researchers say the framework includes five complete attack chains built from 23 separate vulnerabilities in Apple’s iOS operating system. These chains enable attackers to compromise devices without requiring the victim to download software or interact with anything beyond loading the page, making the attacks virtually invisible to users.

The evolution of Coruna from state-sponsored surveillance to criminal exploitation represents a troubling trend in mobile security. Initially developed for intelligence gathering, the toolkit has now fallen into the hands of cryptocurrency thieves who use it to steal digital assets worth millions of dollars. The sophistication of these attacks has increased dramatically, with criminals now leveraging the same zero-click capabilities that were once the exclusive domain of nation-state actors.

What makes Coruna particularly dangerous is its ability to exploit multiple vulnerabilities in succession, creating attack chains that can bypass Apple’s layered security defenses. Each chain targets different components of iOS, from the browser engine to system services, ensuring that if one exploit fails, others will continue the compromise attempt. This redundancy makes the toolkit highly reliable and difficult to defend against.

The cryptocurrency angle adds a new dimension to the threat. Attackers can use Coruna to gain complete control over victims’ devices, including access to cryptocurrency wallets, banking apps, and other financial services. The silent nature of the compromise means victims often remain unaware that their devices have been compromised until their digital assets have already been stolen.

Google’s Threat Analysis Group and iVerify’s researchers discovered the expanded use of Coruna while investigating suspicious activity patterns across multiple campaigns. They found that the toolkit was being actively used in at least three distinct types of operations: government surveillance, corporate espionage, and cryptocurrency theft. The crossover between these different threat actors suggests that the toolkit has become widely available within underground communities.

The technical sophistication of Coruna is evident in its design. Each exploit chain is carefully engineered to work across multiple iOS versions, making the toolkit effective against a wide range of devices. The attackers have also implemented sophisticated anti-detection measures, including the ability to detect when the toolkit is being analyzed in a sandbox environment and respond by terminating the attack.

Apple has been working to patch the vulnerabilities exploited by Coruna, but the toolkit’s modular design means that even if some exploits are fixed, others may still work. The company faces an ongoing challenge in securing iOS against such sophisticated threats, particularly when the attackers have access to multiple zero-day vulnerabilities simultaneously.

The implications extend beyond individual device compromises. Organizations that allow employees to use personal devices for work are particularly vulnerable, as compromised iPhones can serve as entry points into corporate networks. The toolkit’s ability to extract data silently makes it an ideal tool for industrial espionage, where competitors might seek to steal trade secrets or intellectual property.

Law enforcement agencies are also concerned about the toolkit’s potential use in criminal activities beyond cryptocurrency theft. The ability to compromise devices silently could facilitate identity theft, financial fraud, and even blackmail schemes. The global nature of the threat means that attacks can originate from anywhere and target victims worldwide.

For iPhone users, the discovery of Coruna’s expanded use serves as a stark reminder of the importance of maintaining device security. While Apple continues to improve iOS security, the sophistication of threats like Coruna demonstrates that no system is completely immune to determined attackers. Users should remain vigilant about the websites they visit and consider using additional security measures such as VPN services and security-focused browsers.

The security community is now racing to understand the full scope of Coruna’s capabilities and develop effective countermeasures. This includes not only technical solutions but also improved detection methods that can identify when devices have been compromised by such advanced toolkits. The challenge is compounded by the fact that many victims may never realize their devices have been compromised, making it difficult to assess the true scale of the threat.

As mobile devices become increasingly central to our digital lives, the stakes for securing them continue to rise. The evolution of Coruna from government surveillance tool to criminal weapon highlights the dual-use nature of surveillance technology and the risks associated with its proliferation. It also underscores the need for continued investment in mobile security research and the development of more robust defense mechanisms.

The discovery of Coruna’s expanded use also raises questions about the broader ecosystem of surveillance tools and their potential for misuse. As governments and corporations develop increasingly sophisticated hacking capabilities, the line between legitimate security operations and criminal activity becomes increasingly blurred. This trend suggests that the mobile security landscape will only become more complex and challenging in the years to come.

Cryptocurrency theft iPhone hacking cybercrime mobile security zero-click exploits iOS vulnerabilities surveillance tools digital assets financial fraud industrial espionage nation-state actors underground communities VPN services security research dual-use technology

coruna toolkit hacking framework advanced exploits iOS vulnerabilities cryptocurrency theft silent compromise government surveillance criminal exploitation zero-day vulnerabilities attack chains mobile espionage financial fraud industrial espionage surveillance technology dual-use capabilities underground communities security measures detection methods threat actors cryptocurrency wallets banking apps digital assets trade secrets intellectual property identity theft blackmail schemes VPN services security-focused browsers sandbox detection anti-detection measures modular design zero-click capabilities nation-state actors corporate networks entry points data extraction security community countermeasures mobile security landscape surveillance capabilities legitimate security operations criminal activity blurred lines security operations proliferation mobile devices digital lives defense mechanisms robust defense sophisticated threats determined attackers vigilance malicious websites additional security measures ongoing challenge layered security defenses redundancy reliability anti-detection measures global nature attacks worldwide law enforcement agencies financial fraud blackmail schemes security research investment complex challenging years come dual-use nature proliferation risks sophisticated hacking capabilities blurred lines legitimate security operations criminal activity mobile security landscape years come dual-use nature proliferation risks sophisticated hacking capabilities blurred lines legitimate security operations criminal activity,