Google Exposes Coruna Exploit Kit Stealing Cryptocurrency from iPhone Users on iOS 13-17.2.1

Key Takeaways

• Google’s security researchers reveal Coruna exploit framework designed to steal cryptocurrency from iPhones.
• The exploit framework successfully compromises iOS versions 13 through 17.2.1 via WebKit vulnerabilities.
• Multiple threat actors deploy identical exploits for both espionage campaigns and financial cybercrime.
• Malicious code targets cryptocurrency wallets, QR codes, and stored notes containing sensitive credentials.
• Immediate iOS updates or Lockdown Mode activation recommended for device protection.

Security researchers at Google have uncovered a sophisticated exploitation framework specifically designed to compromise iPhones operating on iOS versions ranging from 13 to 17.2.1. According to Google’s Threat Intelligence Group, cybercriminals leverage this exploit toolkit to extract cryptocurrency wallet credentials and other valuable financial data. Google’s analysis reveals that the framework has been adopted by various malicious actors conducting both state-sponsored surveillance and widespread financial fraud operations.

Google monitors Coruna exploit framework distribution among cybercriminal groups

The Threat Intelligence division at Google first encountered this exploitation toolkit while investigating targeted surveillance activities during the early months of 2025. Security analysts at Google observed threat actors utilizing the framework through specialized JavaScript code engineered to profile iPhone hardware. This profiling mechanism determines specific device models and firmware versions before deploying customized exploitation sequences.

Google subsequently traced connections between this identical exploit framework and watering-hole compromises specifically aimed at Ukrainian internet users. The malicious JavaScript appeared embedded within legitimate but compromised websites, loading through concealed iFrames that activated exclusively when visitors accessed sites using iPhones. Google’s research team attributed these intrusion attempts to UNC6353, a threat actor suspected of conducting Russian intelligence operations.

Further investigation by Google revealed the same exploitation toolkit operating across extensive networks of deceptive Chinese financial platforms. These fraudulent websites presented themselves as legitimate cryptocurrency exchanges and online gambling services to deceive potential victims. Google’s findings indicate that financially motivated cybercriminals subsequently adopted the toolkit for mass-scale criminal operations.

Google researchers document exploit sequences across multiple iOS releases

According to Google’s technical analysis, the Coruna framework encompasses five complete exploitation sequences utilizing twenty-three distinct security vulnerabilities. The toolkit successfully compromises iPhone devices operating any firmware version between iOS 13 and iOS 17.2.1. Google’s security analysts verified that attackers weaponize WebKit browser vulnerabilities as the initial attack vector to gain code execution on victim devices.

The exploitation framework incorporates sophisticated techniques to circumvent advanced security mechanisms including pointer authentication controls. Following successful initial compromise, attackers deliver encrypted binary components specifically crafted to inject additional malicious modules into the operating system. Google’s technical documentation describes a specialized loader component that infiltrates code directly into iOS power management system processes.

Google additionally documented that the exploit framework intentionally avoids compromising devices operating with Lockdown Mode enabled or during private browsing sessions. The toolkit employs advanced fingerprinting methodologies to confirm it exclusively targets authentic iPhone hardware. Google’s technical assessment demonstrates that attackers meticulously engineered the framework to deploy version-specific exploit sequences tailored to each target device.

Google security team identifies crypto wallet theft as primary objective

Google‘s security analysts determined that the ultimate malware payload concentrates on harvesting financial credentials and cryptocurrency information stored within compromised devices. The malware systematically scans filesystem contents and image files searching for cryptocurrency wallet recovery phrases and banking-related references. Google documented that the malicious code specifically searches for BIP39 mnemonic seed phrases and associated wallet backup terminology.

The malicious application possesses capabilities to analyze photographic content stored on compromised devices, specifically scanning for QR code patterns containing wallet credentials or transaction information. Upon successfully identifying valuable data, the malware establishes connections with attacker-operated command infrastructure to exfiltrate the stolen information. Google’s analysis confirmed the malware additionally searches Apple Notes application data for content referencing banking credentials or cryptographic recovery keys.

Google verified that the exploitation framework no longer successfully compromises the most recent iOS firmware releases. Nevertheless, Google strongly advises users to immediately update devices currently operating outdated operating system versions. The security team additionally recommends activating Lockdown Mode on devices where immediate updates prove impractical, significantly reducing vulnerability to similar exploitation attempts.