Google Uncovers Coruna iPhone Exploit Kit Targeting Crypto Wallets

How the Coruna iPhone Exploit Kit Steals Private Seed Phrases

A dangerous new hacking tool is putting iPhone users and their digital wealth at risk. Google’s Threat Intelligence Group (GTIG) has discovered a powerful software package known as the Coruna iPhone exploit kit. This toolkit, also called "CryptoWaters" by some researchers, is designed to break into Apple devices running iOS versions 13.0 through 17.2.1. It is one of the most complex threats ever seen in the public eye.

Source: X(formerly Twitter)

The Coruna iPhone exploit kit is highly advanced, containing 23 different hacking methods organized into five full "exploit chains". Some of these techniques were previously unknown to the public. What makes this situation scary is how the tool has moved between different groups. It was first used by a surveillance company, then by a Russian spying group, and finally by a criminal gang in China focused on stealing money. This shows a growing market where high-level spy tools are being sold to common hackers.

How the Coruna iPhone exploit kit Hacks Your Private Data

The main goal of this attack is to steal cryptocurrency. Hackers use fake websites, such as a cloned version of the WEEX crypto exchange, to lure victims. If you visit one of these sites on an older iPhone, a hidden script runs in the background without you knowing.

How the Theft Happens

Fingerprinting: The kit first checks your iPhone model and software version to see if it can be hacked.

Background Access: It uses flaws in the Safari browser to gain "root" access to your entire phone.

Keyword Hunting: A program called "PlasmaLoader" scans your device for sensitive words like "backup phrase" or "bank account".

Wallet Extraction: It targets popular apps like MetaMask, Exodus, Coinbase Wallet, and Bitget to steal seed phrases and private keys.

C2 Communication: Once it finds your data, it sends it to an external server controlled by the hackers.

The Debate Over Its Origins

Researchers are still arguing about where this kit came from. The security firm iVerify claims the code looks very similar to tools built by the U.S. government that may have "spun out of control". However, other experts from Kaspersky say there is no solid proof yet that the code was copied from known government frameworks. Regardless of its origin, the toolkit cost millions of dollars to develop and is now being used to attack regular users.

Future Outlook: Expert Analysis

The discovery of the Coruna toolkit is a wake-up call for the mobile industry. We are seeing a "second-hand" market for cyber weapons where state-level tools are being recycled for financial crime. This means that targeted spyware is now being used for mass attacks against anyone holding crypto. In the future, we expect hackers to become even better at hiding their scripts inside everyday websites.

The best way to stay safe is simple: keep your iPhone updated. Google and Apple both confirm that the Coruna iPhone exploit kit does not work on the latest versions of iOS, such as iOS 17.3 and newer. If your phone is too old to update, you should turn on "Lockdown Mode" in your settings. The hackers designed this kit to automatically stop if it detects Lockdown Mode, as it makes the device too hard to crack.

Your Money Your Life Disclaimer: Cryptocurrency and mobile security involve high risks. This article provides information based on current security reports and does not guarantee total protection. Always consult official Apple security guides for the best advice on your specific device.