A suite of government hacking tools targeting iPhones is now being used by cybercriminals

Source: TechCrunch

Security researchers have identified a suite of powerful hacking tools capable of compromising Apple iPhones running older software that have apparently passed from a government customer into the hands of cybercriminals.

Discovery of the Coruna exploit kit

Google said it first identified the exploit kit—dubbed Coruna—in February 2025 during a surveillance vendor’s attempt to hack a phone with spyware on behalf of a government customer. The same kit was later observed targeting Ukrainian users in a broad‑scale campaign by a Russian espionage group, and subsequently used by a financially motivated hacker in China.

Google security researchers warned of an emerging market for “second‑hand” exploits, which are sold to profit‑motivated hackers to extract additional value from the vulnerabilities.

iVerify, a mobile‑security company that obtained and reverse‑engineered the tools, linked the Coruna kit to the U.S. government based on similarities to previously attributed U.S. hacking tools. In a blog post, iVerify noted:

“The more widespread the use, the more certain a leak will occur. While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Capabilities and affected devices

Google described the Coruna kit as powerful because it can bypass an iPhone’s defenses simply by visiting a malicious website containing the exploit code—a classic “watering‑hole” attack. The kit can compromise an iPhone in five separate ways by chaining together 23 distinct vulnerabilities. Affected devices range from iPhone models running iOS 13 up to iOS 17.2.1 (released December 2023).

According to Wired, which first reported the news, the Coruna kit contains components previously used in a hacking campaign dubbed Operation Triangulation. Russian cybersecurity firm Kaspersky claimed in 2023 that the U.S. government tried to hack several iPhones belonging to its employees.

Historical context of leaked hacking tools

Leaks of government‑developed hacking tools are rare but not unprecedented:

• In 2017, the U.S. National Security Agency discovered that its Windows‑targeting tools, including the EternalBlue backdoor, had been stolen. EternalBlue was later published and used by cybercriminals in subsequent attacks, most notably the WannaCry ransomware outbreak in 2017, which was attributed to North Korea.

• TechCrunch reported on the case of Peter Williams, former head of the U.S. defense contractor L3Harris Trenchant, who was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to a broker known to work with the Russian government. Prosecutors said the exploits could hack “millions of computers and devices” worldwide, and at least one was sold to a South Korean broker. It remains unclear whether the exploits were ever disclosed to the software vendors or patched.

These examples illustrate how tools designed for state‑level surveillance can eventually proliferate into the broader cyber‑crime ecosystem.