Google Just Found iOS Exploit Kit Draining Crypto Wallets

Google discovered a hacking toolkit called Coruna that silently breaks into iPhones and steals crypto by targeting popular wallet apps like MetaMask, Phantom, and Trust Wallet.

The attack requires no action from the victim, simply visiting a compromised or fake website on an unpatched iPhone is enough to trigger the infection.

Why it matters:

• iPhones running iOS 17.2.1 or older remain vulnerable; Apple only patched the final exploits in iOS 17.3, released January 2024.
• The toolkit scans notes and messages for crypto seed phrases and keywords like “backup phrase,” giving attackers full wallet access without needing a password.
• 18 crypto apps are targeted, meaning users of MetaMask, Phantom, Exodus, Trust Wallet, and Uniswap face direct theft risk.

The details:

• GTIG allegedly recovered the full toolkit from hundreds of fake financial and crypto exchange websites, including a spoofed WEEX crypto exchange.
• A suspected Russian espionage group used the same toolkit in summer 2025 to target Ukrainian iPhone users through compromised local business websites.
• A China-based financially motivated group later deployed it broadly via scam sites, allowing Google to retrieve the complete toolkit and name it Coruna.
• Enabling Lockdown Mode in iPhone settings blocks the attack entirely — the toolkit detects it and stops running.

The big picture:

• The same toolkit passed through a surveillance company, a state-backed Russian group, and Chinese financial criminals. This suggests a growing secondhand market for powerful hacking tools.
• Two of Coruna’s exploits were previously used in Operation Triangulation, a 2023 iOS spying campaign uncovered by Kaspersky, showing how elite exploits get recycled across threat actors.