An alarming new threat is sweeping across the iPhone ecosystem: a sophisticated exploit kit known as Coruna is being deployed through crypto-related scam websites, silently compromising devices and draining digital wallets. This report delves into how the exploit operates, its origins, and what iPhone users in the U.S. must do to stay protected.
A New Threat: Crypto Scams Trigger ‘Coruna’ iOS Exploits
Google’s Threat Intelligence Group (GTIG) and cybersecurity firm iVerify have uncovered Coruna, a highly advanced iOS exploit kit that targets iPhones running iOS 13.0 through iOS 17.2.1. The toolkit leverages 23 distinct vulnerabilities across five full exploit chains, enabling attackers to compromise devices simply by visiting a malicious website—no user interaction required .
Initially observed in February 2025 during a surveillance operation by a commercial spyware vendor, Coruna later surfaced in a Russian espionage campaign targeting Ukrainian users and was eventually repurposed by Chinese cybercriminals to steal cryptocurrency from unsuspecting victims .
How Coruna Works
Exploit Delivery via Crypto Scam Sites
Coruna is typically delivered through watering-hole attacks—compromised or fake websites, often masquerading as crypto exchanges or financial platforms. Once an iPhone user visits such a site, hidden JavaScript code fingerprints the device, identifies its model and iOS version, and launches the appropriate exploit chain .
Multi-Stage Exploitation
The exploit chains combine WebKit remote code execution (RCE), sandbox escapes, pointer authentication code (PAC) bypasses, and kernel privilege escalation. Some of the vulnerabilities exploited include CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, among others .
Financial Payload: PlasmaLoader
Once the exploit succeeds, it installs a loader known as PlasmaLoader (also referred to as PLASMAGRID), which injects itself into system processes. The malware scans for cryptocurrency-related data—seed phrases, wallet backups, QR codes, and keywords like “backup phrase”—and exfiltrates this information to steal digital assets .
Origins and Proliferation
From Government Tool to Criminal Weapon
iVerify’s analysis suggests that Coruna bears the hallmarks of a nation-state-grade toolkit, possibly developed by or for the U.S. government. Extensive English documentation and structural similarities to known government frameworks support this theory .
Once leaked or sold, the toolkit was repurposed by multiple threat actors:
– February 2025: Used by a surveillance vendor’s client.
– Summer 2025: Deployed in targeted attacks by a Russian espionage group against Ukrainian users.
– Late 2025: Adopted by Chinese financial cybercriminals to target iPhone users via fake crypto sites .
Mass Exploitation
This marks the first known mass iOS attack, shifting from highly targeted spyware to broad-scale exploitation. iVerify estimates that tens of thousands of iPhones have already been compromised .
Impact on Stakeholders
iPhone Users
- Crypto holders are at high risk: seed phrases and wallet data can be stolen without any user action.
- Users running outdated iOS versions (13.0–17.2.1) are vulnerable.
- Devices in Lockdown Mode or private browsing are immune, as Coruna detects and aborts in these cases .
Apple
- The company patched the exploited vulnerabilities in iOS 17.3, released in January 2024 .
- Apple must continue to prioritize rapid patching and user education around enabling Lockdown Mode.
Cybersecurity Community
- The incident underscores the risks of exploit proliferation from government or commercial spyware to criminal actors.
- It highlights the need for stronger regulation and oversight in the spyware market .
Mitigation and Recommendations
- Update iOS immediately to version 17.3 or later to patch all known Coruna vulnerabilities .
- Enable Lockdown Mode to block exploit execution entirely .
- Avoid suspicious crypto or financial websites, especially those prompting iPhone-specific access.
- Use private browsing when navigating unfamiliar sites; Coruna avoids execution in this mode .
Analysis and Future Outlook
Coruna represents a dangerous evolution in mobile threats: a state-grade exploit kit now weaponized for mass financial theft. Its journey—from surveillance tool to espionage weapon to criminal asset—reveals the fragility of exploit containment once such tools enter the wild.
Looking ahead:
– We may see more exploit kits leaked or sold, increasing the threat surface.
– Regulatory frameworks like the Pall Mall Process may gain urgency to curb the irresponsible trade of surveillance tools .
– Apple’s continued efforts to harden iOS, expand Lockdown Mode, and educate users will be critical.
Conclusion
The emergence of Coruna is a stark warning: iPhone users are being targeted through crypto scams that can trigger powerful, nation-state-level exploits. The threat is real, widespread, and financially motivated. The only effective defense is vigilance—keep your device updated, enable Lockdown Mode, and steer clear of suspicious crypto platforms. The stakes are high, but with proactive measures, users can stay one step ahead.
Frequently Asked Questions
What is the Coruna exploit kit?
Coruna is a sophisticated iOS exploit framework that uses 23 vulnerabilities across five exploit chains to silently compromise iPhones running iOS 13.0 through 17.2.1. It was discovered by Google’s Threat Intelligence Group and iVerify .
How do crypto scams trigger Coruna exploits?
Coruna is delivered via compromised or fake crypto and financial websites. When an iPhone user visits such a site, hidden JavaScript fingerprints the device and launches the appropriate exploit chain without any user interaction .
Which iOS versions are vulnerable?
iPhones running iOS versions from 13.0 up to 17.2.1 are vulnerable. Apple patched the exploited vulnerabilities in iOS 17.3, released in January 2024 .
How can I protect my iPhone from Coruna?
- Update to iOS 17.3 or later.
- Enable Lockdown Mode.
- Use private browsing when visiting unfamiliar sites.
- Avoid suspicious crypto or financial websites .
Who is behind Coruna?
Coruna appears to have originated from a commercial surveillance vendor, possibly developed for U.S. government use. It later spread to Russian espionage groups and Chinese cybercriminals .
Has Coruna affected many users?
Yes. iVerify estimates that tens of thousands of iPhones have already been compromised by Coruna, particularly through Chinese-language scam sites .