A cache of government-grade iPhone exploits has slipped the leash and is now fueling criminal hacking campaigns, according to new research from Google and mobile security firm iVerify. The toolkit, known as Coruna, strings together dozens of vulnerabilities to quietly compromise iPhones via booby-trapped web pages, underscoring how state-developed capabilities can leak and cascade into the broader cybercrime economy.
Investigators say Coruna began as a surveillance vendor’s weapon for government customers. Over time, it migrated from targeted espionage to wider criminal use — a pipeline experts warn is becoming a recurring pattern as “secondhand” exploit markets mature.
What Researchers Found About Coruna’s Evolving Deployment
Google’s security team first spotted Coruna during an attempted spyware installation tied to a government client. Months later, the same exploit kit surfaced in a broad campaign against users in Ukraine linked to a Russian espionage group, and eventually in profit-driven activity by a financially motivated hacker in China. That trajectory — from bespoke government use to opportunistic criminal deployment — suggests the kit either leaked or was resold.
iVerify says it obtained and reverse-engineered Coruna, finding code similarities to tools previously attributed to the United States. While the firm stops short of definitive attribution, it warns that the more widely a toolkit circulates, the greater the odds of a leak — and the less control any government retains over its use.
Wired first reported on Coruna’s discovery and noted overlaps with components seen in Operation Triangulation, a sophisticated iPhone hacking campaign disclosed in recent years. Kaspersky, which analyzed that earlier operation, said its employees’ iPhones were targeted, intensifying debate over the origins and stewardship of such capabilities.
How Coruna Breaks Into iPhones via Chained Exploits
Coruna relies on “watering hole” attacks: victims are silently compromised by visiting a malicious site or following a seeded link. Google’s analysis indicates the kit includes five distinct exploit chains, each chaining bugs to bypass multiple iOS defenses. In total, researchers counted 23 vulnerabilities in its arsenal, affecting devices from iOS 13 through iOS 17.2.1.
Apple has layered iPhone security with features like BlastDoor and, for high-risk users, Lockdown Mode. But complex chains like Coruna’s show how attackers combine memory corruption, sandbox escapes, and kernel-level flaws to hop past protections. The lesson is familiar: patch velocity matters, and layered mitigations reduce risk but rarely eliminate it when high-end exploit kits circulate.
From State Secrets to Crimeware in the Exploit Market
Exploits are expensive to build and maintain. Vendors sell them to governments for lawful intercept and intelligence work — at least on paper. Once patched or devalued, though, those same tools can bleed into gray markets where they’re repackaged and resold to recoup costs, or they leak through poor operational security. Google’s team has warned about a growing market for these “secondhand” exploits, which retain dangerous utility against lagging devices.
The risks are not hypothetical. When the NSA’s Windows exploit EternalBlue leaked, it was rapidly repurposed by criminal groups. WannaCry alone hit more than 200,000 machines across 150 countries, disrupting hospitals and transport and inflicting billions in damages. Mobile platforms have historically been harder to mass-ransom, but the Coruna case shows how elite capabilities can migrate and scale beyond their original scope.
Who Is at Risk from Coruna and What iPhone Users Can Do
High-value targets — journalists, diplomats, activists, executives, cryptocurrency holders — face the greatest risk, but any iPhone running outdated software is exposed if it wanders onto a compromised site. Attackers increasingly seed news, regional, and community sites frequented by their targets, raising the odds of incidental exposure.
Defenses start with updates. Install the latest iOS release and enable automatic Rapid Security Responses. Apple’s adoption metrics historically show new iOS versions surpassing 70% on recent devices within months, but the long tail of unpatched phones remains attractive to attackers. High-risk users should consider Lockdown Mode, limit unsolicited link-clicking, use reputable content blockers for Safari, and route browsing through privacy-focused DNS or enterprise filtering where possible.
Organizations should monitor mobile telemetry for anomalous WebKit and kernel crash indicators, enforce minimum OS versions via MDM, and maintain threat intelligence feeds that flag known watering-hole infrastructure. Given Coruna’s modularity, assume variants will persist even as specific CVEs are patched.
The Policy Gap Exploited When Governments Stockpile Zero-Days
Coruna revives a long-running policy dilemma: when governments stockpile zero-days, they assume the burden of perfect secrecy — and history shows that’s a fragile bet. Vulnerabilities Equities Process exists to weigh disclosure against operational value, but it rarely accounts for downstream criminalization once tools seep into global markets.
Experts say governments need stronger guardrails around procurement and use of commercial exploits, auditable controls on vendor handling, and clearer timelines for disclosure once capabilities are burned. Without that, today’s covert tools risk becoming tomorrow’s crimeware kits — with consumers, not spies, paying the price.