Google has identified a potent new exploit kit, dubbed 'Coruna,' designed to compromise Apple iPhones and steal cryptocurrency wallet seed phrases. The kit targets iOS versions from 13.0 up to 17.2.1, incorporating previously unknown exploits.
Initially discovered in February 2025, Coruna has been linked to a suspected Russian espionage group targeting Ukrainians. Its use later expanded to fake Chinese cryptocurrency websites, aiming to pilfer digital assets. Google advises iPhone users to update to the latest iOS version or enable 'Lockdown Mode' for enhanced protection.
The exploit kit functions by delivering malicious code to targeted iPhone users through compromised websites, including those mimicking major crypto exchanges like WEEX. It scans for financial data, specifically looking for text containing seed phrases or keywords like 'backup phrase' and 'bank account.' The kit also targets popular crypto applications such as Uniswap and MetaMask to extract sensitive information.
The origins of Coruna are debated, with some cybersecurity firms suggesting a US government development. However, other researchers have found no definitive evidence to support this attribution.