U.S. Military Contractor’s iPhone Hacking Tools Leaked to Russian Spies and Chinese Cybercriminals

In a stunning revelation that has sent shockwaves through the cybersecurity world, a sophisticated iPhone hacking toolkit originally developed for U.S. intelligence agencies has been found in the hands of Russian government spies and Chinese cybercriminals. The toolkit, known as “Coruna,” was likely created by L3Harris Technologies, a major U.S. defense contractor, and has now been linked to a global espionage and cybercrime campaign.

The Origins of Coruna

Coruna is a 23-component iPhone hacking suite designed for highly targeted surveillance operations. According to cybersecurity researchers at iVerify, the toolkit was likely developed by L3Harris’s Trenchant division, which specializes in hacking and surveillance technologies. Trenchant exclusively sells its tools to the U.S. government and its Five Eyes intelligence allies (Australia, Canada, New Zealand, and the United Kingdom).

Two former L3Harris employees confirmed to TechCrunch that Coruna was an internal project at Trenchant, with one stating, “Coruna was definitely an internal name of a component.” The toolkit was designed to exploit vulnerabilities in iOS versions 13 through 17.2.1, covering a period from September 2019 to December 2023.

How It Leaked

The exact path by which Coruna left U.S. government hands remains unclear, but the case bears striking similarities to the actions of Peter Williams, a former general manager at Trenchant. From 2022 until mid-2025, Williams sold eight company hacking tools to Operation Zero, a Russian company that specializes in purchasing zero-day exploits.

Williams was sentenced to seven years in prison after admitting to stealing and selling the tools for $1.3 million. Prosecutors alleged that Williams had “full access” to Trenchant’s networks and that the tools he leaked could potentially access “millions of computers and devices around the world.”

Russian Espionage and Chinese Cybercrime

Once Operation Zero acquired Coruna, it appears to have been sold to Russian government hackers, who deployed it against Ukrainian targets. The Russian espionage group, identified only as UNC6353, used compromised Ukrainian websites to infect specific iPhone users who visited the malicious sites.

From there, the toolkit made its way to Chinese cybercriminals, who used it in “broad-scale” campaigns aimed at stealing money and cryptocurrency. This progression from targeted government surveillance to mass cybercrime highlights the dangerous potential for such tools to proliferate beyond their intended use.

Operation Triangulation Connection

Security researchers have linked Coruna to Operation Triangulation, a sophisticated hacking campaign first revealed by Kaspersky in 2023. The operation allegedly targeted Russian iPhone users, particularly diplomats. Two specific Coruna exploits, called Photon and Gallium, were used as zero-days in Operation Triangulation.

Rocky Cole, co-founder of iVerify, noted that “the best explanation based on what’s known right now” points to Trenchant and the U.S. government being the original developers and customers of Coruna. This assessment is based on the timeline of use, structural similarities between modules, and the reuse of specific exploits.

The Broader Implications

The leak of Coruna raises serious questions about the security of government hacking tools and the potential for such technologies to be misused. The case demonstrates how tools designed for legitimate intelligence purposes can end up in the hands of adversaries and cybercriminals, potentially compromising millions of devices worldwide.

The use of bird names for some of Coruna’s components (Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow) echoes L3Harris’s previous work, including the “Condor” tool sold to the FBI for the infamous San Bernardino iPhone case.

Unanswered Questions

Several critical questions remain unanswered:

• How exactly did Coruna leave Trenchant’s secure environment?
• Was the leak a result of insider threat, as in Williams’s case, or did it occur through other means?
• How many other government hacking tools might be circulating in the wild?
• What measures can be taken to prevent such leaks in the future?

Conclusion

The Coruna case represents a significant breach in the world of government cybersecurity tools. What began as a sophisticated surveillance toolkit for Western intelligence agencies has become a weapon in the hands of Russian spies and Chinese cybercriminals. This incident underscores the complex challenges of developing and securing powerful hacking tools in an era where digital espionage and cybercrime know no borders.

As the cybersecurity community continues to grapple with the implications of this leak, one thing is clear: the proliferation of government-grade hacking tools poses a serious threat to global digital security. The Coruna case serves as a stark reminder that in the world of cyber warfare, even the most sophisticated tools can fall into the wrong hands, with potentially devastating consequences.

Tags: iPhone hacking, Coruna toolkit, L3Harris, Russian espionage, Chinese cybercrime, Operation Triangulation, zero-day exploits, cybersecurity breach, government surveillance, Trenchant division

Viral Phrases:

• “From Five Eyes to Russian spies: The shocking journey of America’s iPhone hacking tools”
• “When government cyberweapons become cybercriminals’ playground”
• “The billion-dollar question: How did America’s secret iPhone hacking toolkit end up with Russia and China?”
• “Coruna: The iPhone hacking suite that slipped through the cracks of national security”
• “From targeted surveillance to mass cybercrime: The dangerous proliferation of government hacking tools”

,