A powerful suite of iPhone hacking tools built for government-level surveillance has now crossed into criminal territory.
Google and mobile security firm iVerify are raising the alarm after tracking the exploit kit across multiple threat actors with very different motivations, and very different targets.
From government hands to criminal operations
Google first encountered the exploit kit, called Coruna, in February 2025. A surveillance vendor was actively deploying it to hack a target’s phone on behalf of a government customer.
Months later, Google spotted the same kit inside a broad campaign by a Russian espionage group targeting Ukrainian users. Then came another discovery: a financially motivated hacker in China was running it too.
Nobody has confirmed exactly how the tools leaked or spread. But Google researchers flagged what they described as a growing market for “secondhand” exploits, government-developed tools that get resold to money-driven hackers looking to squeeze extra value out of them.
iVerify fetched and reverse-built the Coruna kit. The firm tied the tools directly to the U.S. government, pointing to strong similarities with hacking frameworks previously linked to American intelligence operations.
“The more widespread the use, the more certain a leak will occur,” iVerify warned. “While iVerify carries a few proof that this service is a leaked U.S. government system, that ought not to overshadow the concept that these services will reach the wild sector and bad actors will use them without restraint.”
How Coruna cracks into iPhones
Coruna is not a lightweight tool. It attacks iPhones through what researchers call a “watering hole” method, where victims simply visit a malicious website carrying the exploit code. No suspicious app downloads. No elaborate tricks. One click on a planted link does the job.
This is why browser-level protections matter more than ever, which is why Microsoft’s integration of a Cloudflare VPN into Edge is significant, as it adds a layer of encryption and IP masking that can help shield users from being tracked or targeted by malicious sites hosting exploits like Coruna.
The kit strings together 23 separate vulnerabilities to break into a device five different ways. It targets iPhones running iOS 13 through iOS 17.2.1, the version Apple released in December 2023.
Wired, which first broke the story, also reported that the Coruna kit shares components with a prior hacking campaign called Operation Triangulation. Kaspersky, a Russian cybersecurity firm, alleged in 2023 that the United States government ran a campaign against iPhones belonging to Kaspersky’s own employees.
A pattern the security world knows too well
This is not the first time a government-built cyber weapon has escaped its handlers and caused serious damage.
In 2017, criminals stole a Windows backdoor that the U.S. National Security Agency had developed. That tool, EternalBlue, went public and powered the WannaCry ransomware attack, an operation North Korea carried out, which paralyzed organizations worldwide.
The Coruna situation also mirrors the case of Peter Williams, the former head of U.S. defense contractor L3Harris Trenchant. Prosecutors confirmed that Williams stole and sold eight exploits to a broker with known ties to the Russian government. A court handed him a sentence of more than seven years in prison.
According to prosecutors, his exploits could hit “millions of computers and devices” globally, with at least one sale flowing to a South Korean broker. Whether the software makers ever received a disclosure or pushed out patches remains unclear.
The cycle keeps repeating. Governments develop or purchase powerful digital weapons. Those weapons leak. Cybercriminals and rival states then pick them up and keep firing.
For iPhone users, updating to a version beyond iOS 17.2.1 is the most direct line of defense, as newer releases patch several vulnerabilities that Coruna exploits. But with secondhand exploit markets expanding, researchers warn that today’s government toolkit has a habit of becoming tomorrow’s criminal standard.
Governments aren’t just worried about leaked exploits; they’re also scrutinizing commercial apps like TikTok for potential vulnerabilities and foreign influence, highlighting the complex web of digital security challenges facing nations today.
