- Google has identified a sophisticated Apple iOS hacking toolkit that can be used to attack iPhone customers who have not updated to the latest version of the operating system.
- Seed phrases and other financial app credentials stored in the devices are read. The so-called Coruna kit uses five full exploit paths and a total of 23 vulnerabilities in iOS versions 13.0 to 17.2.1.
The attacks take place via prepared websites that are disguised as legitimate crypto and financial portals – also the name of the global crypto exchange WEEX was abused. As soon as a customer with a vulnerable iPhone opens such a website, JavaScript analyzes the operating system of the affected device and, if necessary, copies the malware to it.
The Coruna kit then searches messages, notes, files and app containers for terms such as “seed phrase”, “backup phrase”, “login”, “wallet” etc.
From security tool to crime tool
The Coruna kit first appeared at the beginning of 2025 in the environment of a security provider who apparently used it for attacks to detect vulnerabilities. Experts later found Coruna on Ukrainian websites that installed the malware on iPhones operated in certain regions.
At the end of 2025, Coruna was discovered more and more frequently on fraudulent Chinese financial websites – a clear indication that the tool from the security technology sector had reached the mass market of criminal wallet drain operations via state espionage.
Security experts at iVerify believe it is possible that Coruna originally came from a US environment, while security specialist Kaspersky sees no clear evidence of this.
One-Click-Attack auf 23 iOS‑Leaks
Coruna uses WebKit vulnerabilities for remote code execution and then bypasses protection mechanisms such as Apple’s Pointer Authentication Code. Coruna then gains administrator rights, searches the file system for wallet strings, extracts QR codes from the image database and reads unencrypted notes.
Customers who use self-custody wallets such as MetaMask, Uniswap or BitKeep on older iOS versions are particularly affected. The attacks are completely interactionless – just visiting the manipulated website is enough.
According to experts, tools that were once reserved for secret services are now being used for “everyday” crypto thefts.
Protective measures
Apple has now closed the vulnerabilities in iOS 17.3 and later versions. However, this only protects iPhone customers who actually keep the operating system up to date – and that’s by no means all of them.
The threat remains significant as many devices continue to run on older operating system versions. Google strongly recommends updating to the latest iOS version or alternatively activating lockdown mode, which makes attacks more difficult.
The case shows the crypto industry how attractive mobile wallets have become for attackers – and how quickly previously exclusive zero-day attack vectors fall into criminal hands. The combination of drive-by attacks with automated seed phrase extraction makes Coruna one of the most dangerous threats in recent years – and it is still relevant.
No Comments