Google Warns Of Crypto Scams Targeting Older IPhones Through New Exploit Kit

Introduction to the "Coruna" Cyber-Attack Tool Targeting iPhones

 

In a significant revelation, Google's Threat Intelligence Group (GTIG) has brought to light a sophisticated cyber-attack tool designed to exploit vulnerabilities in older iPhone operating systems. This tool, known as "Coruna," specifically targets devices operating on iOS versions ranging from 13.0 to 17.2.1, which were rolled out between 2019 and 2023. The primary objective of Coruna is to steal cryptocurrency wallet information, posing a considerable threat to users who have not updated their devices to the latest iOS version.

 

Details of the Exploit Kit

 

The Coruna exploit kit is a potent tool composed of five complete iOS exploit chains alongside 23 individual vulnerabilities. Notably, some of these vulnerabilities were previously unknown, highlighting the complexity and advanced nature of this exploit. It’s designed to target unsuspecting users through fraudulent cryptocurrency websites. When a victim happens onto one of these malicious sites using an affected iPhone, the hidden code activates, analyzing the device to deploy a customized attack with the goal of extracting sensitive financial information.

 

How Coruna Targets Crypto Information

 

The core functionality of Coruna involves scanning for cryptocurrency wallet seed phrases and examining messages for particular keywords like "backup phrase" or "bank account." Furthermore, it can infiltrate data associated with popular crypto applications such as MetaMask and Uniswap, making it a comprehensive threat to digital asset holders.

 

Historical Context and Spread of the Exploitation

 

The detection of Coruna dates back to February 2025, wherein it was identified during activities associated with a surveillance vendor attempting to breach a mobile device. As the year progressed, this exploit framework was found on compromised Ukrainian websites, initially targeting specific iPhone users based on their geolocation. By December 2025, investigators noticed a surge in fake finance-related websites embedded with the exploit, presumed to be connected to Chinese cybercriminal activities. Notably, one of these imitated a cryptocurrency trading platform, enticing users to engage via their mobile devices.

 

Theories on Development and Sophistication

 

Despite the impact and breadth of Coruna, its origins and spread beyond the initial environments remain ambiguous. Google's research suggests a thriving underground market for hacking tools may be facilitating its dissemination. Security enterprises such as iVerify speculate that the technology underpinning Coruna is highly sophisticated, potentially requiring millions of dollars for development. Although comparisons have been drawn to government-developed cyber tools, particularly ones from the US, direct technical connections have not been established.

 

Security Recommendations and Global Relevance

 

Google and other cybersecurity experts emphasize the importance of keeping devices updated. The most recent versions of iOS are immune to the threats posed by Coruna, making it critical for users to install the latest software updates. Moreover, for individuals facing high-risk cyber threats, activating Apple's Lockdown Mode is advised; this security feature restricts potential attack vectors on mobile devices. The warning holds global significance, especially in regions with burgeoning cryptocurrency activities, such as Nigeria, where cybercriminals frequently leverage fake investment platforms or phishing sites to extract wallet credentials.