A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals

Google’s recent security report unveiled “Coruna,” a sophisticated iPhone‑hacking toolkit that bundles five exploitation techniques and leverages 23 distinct iOS flaws. 1. Researchers observed the toolkit first in a Russian‑linked espionage campaign targeting Ukrainian sites, then later repurposed by a criminal group that injected crypto‑stealing payloads into Chinese‑language webpages. The rapid evolution of the same code base across disparate threat actors highlights its modular design and high value. The provenance of Coruna is murkier than its code.

S. surveillance contractor, and the toolkit shares components with the 2023 “Triangulation” operation that Russia blamed on the NSA. S. government program, its appearance on the black market mirrors the 2017 EternalBlue leak that powered WannaCry and NotPetya.

Such a trajectory underscores a growing ecosystem of zero‑day brokers who monetize state‑grade exploits, blurring the line between nation‑state espionage and organized cybercrime. Apple responded by patching all Coruna‑related flaws in iOS 26, but devices stuck on older releases remain vulnerable, especially those without Lockdown Mode enabled. The estimated 42,000 compromised iPhones illustrate how a single high‑value exploit can cascade into widespread theft of cryptocurrency and personal data. Enterprises and consumers must prioritize timely OS updates and consider additional network‑level protections to mitigate drive‑by attacks. The episode serves as a stark reminder that even the most secure mobile platforms can be undermined when state‑origin tools leak into the wild.