Coruna: The iPhone Spyware Framework Now Used for Cryptocurrency Theft and Data Stealing

In a chilling turn of events, a powerful iPhone hacking framework known as Coruna has been linked to multiple high-profile campaigns targeting cryptocurrency enthusiasts and users. Originally developed for surveillance operations, the exploit kit is now being used by hackers to steal sensitive data and cryptocurrencies from unsuspecting users.

The Coruna framework was first detected in early 2025 during a surveillance operation reportedly linked to a customer of a spyware vendor. However, it wasn't until later that year that the full extent of its capabilities became apparent. The exploit kit was found to contain multiple exploit chains capable of compromising vulnerable iPhones through malicious websites. According to analysis from Google Threat Intelligence Group and mobile security company iVerify, the framework includes several vulnerabilities targeting WebKit, the browser engine used by all iOS browsers.

Targeting WebKit and Older iOS Versions

One of the most significant findings about Coruna is its ability to target WebKit, which is used by all iOS browsers. This means that simply visiting a malicious web page could compromise devices running older iOS builds. Once triggered, the exploit chain escalates privileges from the browser to kernel-level access, allowing attackers to install malware with root permissions.

This vulnerability allows hackers to install malware with root access on vulnerable iPhones. By exploiting this vulnerability, attackers can gain control over a device and then search for cryptocurrency wallets, steal exchange login credentials, extract photos and email data.

40,000+ Devices Potentially Infected by Coruna

Security firm iVerify estimates that a single crypto-focused campaign infected roughly 42,000 devices, based on connections to command-and-control servers used by the attackers. This highlights the significant impact of Coruna on cryptocurrency enthusiasts and users.

Possible Links to Earlier Spyware Campaigns

The code used in Coruna reportedly overlaps with components from Operation Triangulation, a major iPhone espionage campaign discovered in 2023. Some researchers believe that the framework may have originally been developed for government or intelligence use before leaking into the wider exploit marketplace.

Experts compare the situation to the leak of EternalBlue, which later powered large-scale cyberattacks such as WannaCry. The reuse of Coruna by different groups suggests a growing "second-hand" market for zero-day exploit frameworks.

How Government-Grade iPhone Exploits End Up in Criminal Hands

The incident highlights the risks associated with the reuse of zero-day exploit frameworks originally created for intelligence agencies or law enforcement. Researchers say that tools originally designed for government use may eventually be resold through exploit brokers, sometimes ending up in the hands of rival governments or cybercriminal groups.

Prevention is Key

While Apple has patched the known vulnerabilities used by Coruna in current iOS versions, security experts warn that the techniques behind the framework could continue to evolve. Users running older versions of iOS remain the most vulnerable.

To avoid vulnerabilities, users must keep devices fully updated with the latest security patches. By doing so, they can significantly reduce their risk of falling victim to attacks like Coruna.

In conclusion, the Coruna framework is a powerful example of how zero-day exploit frameworks can be reused by different groups for malicious purposes. As we continue to see the reuse of these frameworks in high-profile campaigns, it's essential that users prioritize keeping their devices up-to-date and using reputable security software to protect themselves against cyber threats.