Google's Threat Intelligence Group published research detailing a sophisticated iOS exploit framework called Coruna - containing 23 vulnerabilities across five full exploit chains - that was used by suspected Russian espionage operatives and Chinese cryptocurrency scammers throughout 2025.
Mobile security firm iVerify separately concluded the codebase bears hallmarks of U.S. government-developed tools, calling it the first known case of likely nation-state iOS capabilities repurposed for mass criminal use.
All vulnerabilities exploited by Coruna have been patched in current iOS versions. Devices running iOS 17.2.1 and older, released through December 2023, remain the affected range.
What Happened
Google tracked Coruna through three distinct operators across 2025. It first appeared in February in an exploit chain used by a customer of an unnamed commercial surveillance vendor.
By summer, the identical JavaScript framework appeared as hidden iframes on compromised Ukrainian websites, selectively targeting iPhone users by geolocation - attributed to UNC6353, a suspected Russian espionage group. By late 2025, the full toolkit had been deployed across hundreds of fake Chinese-language cryptocurrency and gambling websites, compromising an estimated 42,000 devices in a single campaign.
The kit operates as a drive-by attack: no click required. A target visiting a compromised site triggers silent JavaScript that fingerprints the device and delivers a tailored exploit chain. The criminal-adapted payload scans for BIP39 seed phrases, harvests MetaMask and Trust Wallet data, and exfiltrates credentials to command-and-control servers.
Why It Matters
iVerify co-founder Rocky Cole - a former NSA analyst - said Coruna's codebase is "superb" and shares engineering fingerprints with modules previously linked publicly to U.S. government programs, including components from Operation Triangulation, a 2023 iOS campaign that Russia officially attributed to the NSA. Washington has never commented on that allegation.
Cole described the situation as a potential "EternalBlue moment" - referencing the NSA-developed Windows exploit stolen in 2017 that later enabled the WannaCry and NotPetya attacks.
Google noted an active "second-hand market" for zero-day exploit frameworks, with the Coruna trail reinforcing how state-grade tools migrate through brokers into criminal infrastructure with no clear handoff point.
The NSA did not respond to requests for comment. Apple has issued patches covering all known Coruna vulnerabilities.
Read next: JPMorgan's Dimon Draws A Hard Line On Stablecoin Interest - How It Could Kill The CLARITY Act