- A new exploit kit called Coruna targets older iPhones to steal crypto wallet data
- The attack uses multiple vulnerabilities to bypass Apple’s security protections
- Recovery phrases and wallet credentials are the primary targets for hackers
A newly discovered iPhone vulnerability is raising concern across the crypto space, particularly among users who store wallet data on mobile devices. Security researchers say a sophisticated exploit toolkit known as Coruna is actively targeting older iPhones, potentially allowing attackers to steal sensitive crypto information, including wallet recovery phrases. For investors who rely on mobile wallets to store assets like Bitcoin or Ethereum, that possibility alone is enough to trigger alarm.
The warning comes from the Google Threat Intelligence Group, which recently revealed that the exploit is scanning devices running outdated versions of Apple’s mobile software. iPhones operating between iOS 13 and iOS 17.2.1 appear to be the primary targets. Devices that have not been updated may face significantly higher risk if exposed to the exploit.
How the Coruna Attack Breaks Into iPhones
Unlike typical malware campaigns, Coruna is built as a complex exploit system rather than a single malicious program. Researchers say the toolkit combines five full exploit chains and at least 23 vulnerabilities to gain access to targeted devices. That layered approach allows attackers to bypass several of Apple’s security defenses in sequence.
The attack usually begins when a user visits a compromised or malicious website. Hidden JavaScript embedded in the page quietly scans the visitor’s device, identifying details such as the iPhone model, operating system version, and active security settings. If the device matches a vulnerable configuration, the exploit chain begins automatically.
Spyware Installation and Data Extraction
Once the exploit successfully bypasses the device’s protections, the malware escalates its system privileges. This allows attackers to install spyware directly onto the iPhone without the user noticing anything unusual. From there, the spyware can begin searching through device data for sensitive information.
Researchers say the malware is specifically designed to locate crypto wallet files, account credentials, and mnemonic recovery phrases. These phrases are essentially the master keys for cryptocurrency wallets. Anyone who obtains them can recreate the wallet on another device and transfer the assets within minutes.
Crypto Wallets Are the Primary Target
Because of how crypto wallets work, recovery phrases represent one of the most valuable targets for attackers. If hackers gain access to those phrases, they can instantly restore the wallet on their own device and move the funds out. Victims often discover the theft only after the transactions have already been completed.
Investigators say the Coruna campaign spreads through what are known as “watering hole” attacks. Hackers compromise websites that crypto users frequently visit, including fake trading platforms, phishing portals, or imitation wallet services. Anyone visiting these pages with a vulnerable iPhone could unknowingly trigger the exploit.
Possible Links to Nation-State Cyber Tools
Security firm iVerify has noted that parts of Coruna’s code resemble tools believed to have originated from U.S. government cyber programs. While this does not necessarily mean the exploit was developed by a government, it suggests that components of advanced cyber tools may have leaked into the wider hacking ecosystem.
Researchers now suspect the toolkit could be used by cybercriminal groups as well as intelligence-linked actors from countries such as Russia or China. If confirmed, the campaign could represent one of the first large-scale mobile exploits derived from nation-state cyber capabilities targeting the crypto sector.
