iPhone users beware! Google warns: Coruna attack toolkit is rampant, exclusively stealing cryptocurrencies

Google Reveals Coruna iOS Suite Contains 23 Vulnerabilities, Leaking from State Surveillance Tools into the Black Market, Targeting iPhone Encrypted Assets and Stealing Private Keys via Zero-Click Attacks.

Evolving from State-Level Surveillance Tools to “Asset Harvesters”

According to an in-depth report released by Google Threat Intelligence Group (GTIG), the iOS vulnerability suite codenamed Coruna (also known as CryptoWaters) poses a serious threat to iPhone users worldwide. The development of this tool has a highly dramatic history. First discovered in February 2025, it was provided by private surveillance vendors to government clients for targeted monitoring of politicians and dissidents. Later, in summer 2025, a hacker group linked to the Russian government, UNC6353, took control of the suite and used it for geopolitical espionage against Ukrainian citizens.

Image Source: Google Timeline of Coruna Discovery

As the technology leaked out, this professionally developed tool, costing millions of dollars, has officially entered the cybercrime market. Between late 2025 and early 2026, a Chinese hacking group, UNC6691, acquired the technology and shifted its focus toward digital asset theft. This marks the commodification of high-level espionage tools, transforming from targeted intelligence gathering to large-scale theft of cryptocurrency holdings. Researchers note that hackers are willing to invest significant technical resources, indicating that the enormous profits behind crypto assets drive professional-grade tools into financial crime.

Chain Reaction of 23 Vulnerabilities: Silent Penetration Behind the “Watering Hole”

Coruna features a high degree of automation and stealth, integrating 23 separate vulnerabilities that form five complete attack chains. Its impact is extensive, affecting all iPhones and iPads running iOS 13.0 through iOS 17.2.1. The hackers employ a covert “watering hole attack,” infiltrating or setting up fake cryptocurrency exchanges and financial websites to lure victims. These sites, such as counterfeit WEEX trading platforms, look and function almost identically to official sites, even using SEO and paid ads to increase exposure.

Image Source: Google Fake WEEX Trading Platform

When iPhone users visit these compromised sites, background scripts immediately execute device recognition. The system silently checks the iOS version, and if the device falls within the targeted range, it automatically triggers zero-click vulnerabilities, allowing full infiltration without any user interaction or clicking download links. Some fake sites even prompt users to browse with iOS devices, claiming better experience, but in reality, they are precisely targeting unpatched, vulnerable systems.

Even Screenshots in Photo Albums Are Not Safe

Once Coruna gains control of the device, its malicious component PlasmaLoader activates, inventorying the user’s digital assets. This program has powerful scanning capabilities, actively searching for keywords like “backup phrase,” “bank account,” or “seed phrase,” and extracting key data from SMS and notes. It also features image recognition, automatically scanning screenshots in the user’s photo albums for QR codes containing wallet seed phrases or private keys.

Beyond static data collection, Coruna targets popular crypto wallet apps like MetaMask and Uniswap. Hackers attempt to extract sensitive information from these apps to gain full control of wallets. In multiple known cases, victims’ funds were transferred shortly after visiting fake websites. Because the attack targets system-level permissions, any digital traces of private keys left on the device are vulnerable to this espionage-grade tool.

Image Source: Google List of Apps Vulnerable to Malicious Attacks

Defense Rules and Survival Tips? System Updates Are Key to Security

In the face of such sophisticated threats, iPhone users should adopt clear protective measures. Google’s report states that Coruna is ineffective against iOS 17.3 or higher. Although newer versions are available, some users with older devices or insufficient storage may not update promptly, exposing themselves to risk. For those unable to upgrade to secure versions, enabling Apple’s “Lockdown Mode” is an effective countermeasure; once malicious software detects this mode, it will cease operation to avoid detection.

Cybersecurity experts recommend that crypto holders follow basic survival rules. The primary protection is to use hardware wallets (like Ledger or Trezor), keeping private keys offline and disconnected from iOS environments. Additionally, immediately delete all screenshots containing seed phrases or private keys from photo albums and switch to offline physical backups.

Although Coruna attempts to avoid detection by bypassing incognito modes, this is only a temporary measure. As digital assets grow in value, maintaining software updates and cybersecurity vigilance has become a fundamental responsibility for every investor.