Google warns of iPhone exploit kit used to steal crypto wallets
Cybersecurity researchers are warning that a powerful iPhone exploit kit is increasingly being used in cybercrime campaigns targeting cryptocurrency users.
Summary
- Google researchers identified a powerful iOS exploit kit called Coruna containing 23 vulnerabilities across five exploit chains.
- The malware can scan devices for crypto wallet recovery phrases and financial data, potentially enabling attackers to drain funds.
- The tool reportedly moved from surveillance operations to nation-state espionage and eventually financially motivated cybercrime groups.
Hackers deploy iPhone exploit kit to harvest crypto wallet data
According to a new report from Google’s Threat Intelligence Group, the exploit framework, dubbed “Coruna,” contains five full iOS exploit chains and 23 vulnerabilities capable of compromising iPhones running operating systems between iOS 13 and iOS 17.2.1.
The exploit kit allows attackers to execute malicious code through web content by exploiting vulnerabilities in Apple’s WebKit browser engine and other components. Once a victim visits a compromised website, the framework fingerprints the device to identify the exact iPhone model and software version before deploying the most effective exploit chain.
Researchers say the malware can then deliver additional payloads designed to harvest sensitive data from the device, including cryptocurrency wallet information.
In some campaigns, the exploit kit was deployed through fake gambling and cryptocurrency websites that specifically targeted iPhone users.
The malicious payload was capable of scanning images and files on the device for keywords such as “backup phrase” or “bank account,” allowing attackers to extract recovery phrases and access crypto wallets.
Google’s investigation shows the exploit kit circulated among several threat actors over the past year. It was first observed in 2025 in surveillance operations, later used in watering-hole attacks against Ukrainian users by a suspected Russian espionage group, and eventually adopted by financially motivated hackers linked to China.
Security analysts say the case highlights a worrying trend where sophisticated spyware-grade exploits migrate from government or commercial surveillance tools into the broader cybercrime ecosystem.
Researchers recommend updating devices to the latest iOS versions, as the exploit kit does not affect the newest software releases.
The findings underscore the growing intersection between mobile security threats and cryptocurrency theft, with attackers increasingly targeting digital wallets stored on smartphones.
