SKN | Google Flags ‘Coruna’ iPhone Exploit Kit Targeting Crypto Wallets

Key Points

• Google researchers discovered a new iPhone exploit kit designed to steal crypto wallet seed phrases.
• The kit, called Coruna, includes five iOS exploit chains and 23 vulnerabilities targeting devices running iOS 13 through 17.2.1.
• Attackers distribute the exploit through fake cryptocurrency and finance websites.

Researchers at Google have identified a sophisticated exploit kit aimed at compromising iPhones to steal cryptocurrency wallet data.

The kit, dubbed “Coruna,” was uncovered by the Google Threat Intelligence Group and includes five complete iOS exploit chains containing 23 vulnerabilities, some previously unknown to the public.

The exploit targets devices running versions of iOS from 13.0 up to 17.2.1. Google researchers warned that attackers can use it to infiltrate iPhones and harvest sensitive financial information, particularly cryptocurrency wallet recovery phrases.

Fake Crypto Sites Deliver the Attack

The exploit kit is distributed through fraudulent financial and cryptocurrency websites.

According to Google’s analysis, attackers embed malicious JavaScript that fingerprints a visitor’s device to determine whether it is vulnerable. If the user is running a susceptible version of iOS, the exploit chain is deployed automatically.

The system scans devices for wallet-related data, including seed phrases and text messages containing terms such as “backup phrase” or “bank account.”

Researchers said the kit also specifically looks for popular crypto applications such as MetaMask and Uniswap in an attempt to extract funds or sensitive account information.

One of the fake sites impersonated WEEX, illustrating how attackers leverage brand spoofing to lure victims.

Espionage and Cybercrime Connections

Google first detected components of the exploit kit in February 2025. Early activity suggested use by a suspected Russian espionage group targeting Ukrainian users.

Later in the year, the same framework appeared across numerous fake Chinese-language financial websites aimed at crypto investors.

Security researchers believe the exploit’s sophistication indicates a high development cost, potentially reaching millions of dollars.

Disputed Origins of the Tool

The origin of the Coruna exploit kit remains unclear.

Mobile security firm iVerify suggested the code may resemble tools previously linked to U.S. intelligence operations.

However, analysts at Kaspersky said they found no direct evidence that the exploit shares code with known government-developed tools.

How Users Can Protect Their Devices

The exploit does not work on the latest iOS version, and researchers strongly recommend updating devices immediately.

Users who cannot update their phones are advised to enable Apple’s Lockdown Mode, which adds additional protections against sophisticated cyberattacks.

As cryptocurrency adoption grows, security experts warn that attackers are increasingly targeting mobile devices and wallet credentials — particularly seed phrases — which can grant complete control over a user’s digital assets.