Your iPhone Could Be Targeted by Crypto Thieves: Exposed ‘Coruna’ Exploit Kit

Key Highlights

• The “Coruna” kit bundles 23 individual exploits into 5 full chains, targeting every iPhone and iPad running iOS 13.0 through iOS 17.2.1.
• Updating to iOS 17.3 or later (current: iOS 26) renders Coruna entirely ineffective; enabling Lockdown Mode causes the malware to self-terminate on contact.

Google’s security team recently revealed details about a significant mobile threat that experts are calling one of the most concerning they’ve seen in years. Their report explains how a complete toolset for hacking iPhones—called “Coruna” (also known as CryptoWaters)—works. The name CryptoWaters suggests the kit is used for stealing cryptocurrency.

This hacking kit isn’t technically new; the market for exploiting iPhones is already a large, well-known, and profitable underground business. What’s concerning about Coruna is how quickly things are changing. Originally designed for secret government spying, it’s now being sold and used to target everyday people who own cryptocurrency, something we haven’t seen on this scale before in mobile security threats.

The Three Faces of a Roaming Weapon

Google’s research shows a fascinating history of how the Coruna hacking tool moved between different groups. Over about a year, it seems the same tool was used by three separate threat actors, each with their own unique goals. It’s like tracking the tool’s journey through the criminal underworld.

The first known instance of this technology being used was in February 2025, by a client of a private surveillance company. This company operates in a similar, unregulated market as NSO Group, the creator of the notorious Pegasus spyware. Initially, the technology was used in a focused way, targeting a small number of high-profile individuals like politicians, journalists, and activists – a pattern common with commercial spyware.

By the summer of 2025, GTIG noticed the same hacking methods being used in a politically sensitive situation. A group called UNC6353, believed with strong confidence to be connected to the Russian government, was using a tool called Coruna to target people and essential systems in Ukraine. This indicated the tool had shifted from being used for financial gain to being used by a national government.

Starting in late 2025 and continuing into early 2026, a cybercrime group that speaks Chinese and is motivated by financial gain – known as UNC6691 – obtained this toolkit and completely changed what they targeted. Instead of spying on people, they began stealing Bitcoin and other digital currencies from iPhone users.

The ‘Watering Hole’ Infrastructure

Instead of using common methods like phishing emails or infected apps, which most people are now cautious of, the UNC6691 group used a clever tactic called a “watering hole” attack. They didn’t directly target individuals; instead, they compromised websites those individuals frequently visited.

The group created realistic fake versions of popular cryptocurrency exchanges and financial websites. For example, they copied the legitimate WEEX crypto trading platform. These fake sites are nearly identical to the real ones and are often found through online searches or advertisements.

When someone with an iPhone visits these webpages, a hidden element runs a process that identifies their device. This process checks the iPhone’s iOS version. If the phone is running iOS 17.2.1 or any older version (going back to iOS 13.0), a malicious sequence automatically begins. The user doesn’t need to click anything, download anything, or even interact with the page. In some cases, websites even encouraged people to use iPhones, potentially exposing more users to this threat.

Steps for iPhone Users To Protect Themselves

While the security situation is concerning, there are definite steps we can take to improve it. Google’s report, along with research from others, highlights four key areas to focus on:

1. Update iOS Immediately: Coruna is entirely ineffective against iOS 17.3 and later (current release: iOS 26). Any device updated within the past year is protected.
2. Enable Lockdown Mode: Google confirmed that Coruna’s PlasmaLoader automatically self-terminates upon detecting Lockdown Mode is active. This is the single most effective real-time defense.
3. Use a Hardware Wallet: Private keys stored on a hardware wallet (Ledger, Trezor) never touch the iOS environment. Even a fully compromised iPhone cannot access funds secured offline in this manner.
4. Purge Sensitive Photos: PlasmaLoader scans photo galleries for wallet QR codes. Delete any images containing seed phrases, private keys, or wallet backup codes—or store them only on offline media.

Security experts have observed that the Coruna malware avoids running when it detects private or incognito browsing modes—likely to cover its tracks and limit evidence of the attack. Although this isn’t a strong security measure on its own, it’s a notable behavior that could help investigators understand who is behind the attack.

Read More

• Gold Rate Forecast
• Bitcoin Booms Again! Whale Frenzy, Hype & a Shot of Hyper to the Moon 🚀
• Web3’s Global Tango: Asia’s Retail Flair Meets Western Institutional Swagger
• Harvard Sage’s Bitcoin Blunder: Rogoff’s 2018 Prophecy Spectacularly Implodes 🚀😂
• USD HKD PREDICTION
• Brazil Ditches Cash?! 💸
• Why BNB Price Almost Broke $1,000 (And Why You Should Care)
• Trump Jr.’s Crypto Gamble: $1M Bitcoin & 2,500 Doge Miners! 🐕🚀💸
• USD IDR PREDICTION
• Bitcoin’s Wild Ride: A Tall Tale of $HYPER Hype & $BTC Lunacy 🐍

2026-03-05 11:50