Your iPhone Could Be a Crypto Thief’s Target: Google Exposes ‘Coruna’ Exploit Kit

Google’s Threat Intelligence Group (GTIG) published what security researchers are already calling one of the most alarming mobile threat disclosures in years. The report detailed the inner workings of a fully operational iPhone exploit kit, internally dubbed “Coruna” and also tracked under the alias CryptoWaters—a name that hints at its ultimate purpose.

The kit is not novel in the technical sense; the iPhone exploit ecosystem is a well-documented, multi-billion-dollar underground market. What makes Coruna exceptional—and alarming—is its trajectory. A tool precision-engineered for covert government surveillance has been commoditized, repurposed, and is now being unleashed against ordinary cryptocurrency holders at a scale previously unseen in the mobile threat landscape.

The Three Faces of a Roaming Weapon

Google’s report traces a remarkable, almost cinematic chain of custody for the Coruna codebase. The same exploit framework appears to have passed through the hands of three distinct threat actors over the course of roughly twelve months—each with starkly different motivations.

The earliest documented use, in February 2025, was by a customer of an unnamed private surveillance vendor—a company operating in the same grey-market space as NSO Group, maker of the infamous Pegasus spyware. This phase was characterized by the narrow, high-value targeting typical of commercial spyware: politicians, journalists, and dissidents.

By the summer of 2025, however, GTIG detected the same exploit chains in a geopolitically charged context. The group designated UNC6353 — assessed with moderate-to-high confidence to be Russian government-aligned—was using Coruna to target Ukrainian citizens and infrastructure personnel. The tool had moved from commerce to statecraft.

Then, in late 2025 and into early 2026, a Chinese-speaking financially motivated cybercrime group, tracked as UNC6691, acquired the kit and pivoted its targeting entirely. The goal was no longer surveillance. It was theft—specifically, the theft of Bitcoin and other digital assets from unsuspecting iPhone users.

The ‘Watering Hole’ Infrastructure

UNC6691 deployed Coruna not through phishing emails or infected app downloads—vectors that most users have been trained to distrust—but through a more insidious technique known as a “watering hole” attack. Rather than chasing victims, the attackers poisoned the wells that victims habitually visit.

The group constructed convincing counterfeit versions of popular cryptocurrency exchanges and financial platforms. A documented example is a spoofed version of WEEX, a legitimate crypto trading platform. These fake sites are designed to be functionally indistinguishable from their real counterparts, often surfacing through search engine optimization or paid promotion channels.

When an iPhone user lands on one of these pages, a concealed iFrame executes a device fingerprinting routine. The script silently checks the iOS version. If the device is running iOS 17.2.1 or any earlier version—stretching all the way back to iOS 13.0 — the exploit chain fires automatically. No tap, no download, no interaction required. Some sites even displayed prompts actively encouraging users to switch to an iOS device for a “better experience,” funneling additional vulnerable targets toward the exploit.

Steps for iPhone Users To Protect Themselves

The defensive picture, while sobering, is not without clear and actionable remedies. Google’s report and subsequent analysis by independent researchers point to four priority actions:

1. Update iOS Immediately: Coruna is entirely ineffective against iOS 17.3 and later (current release: iOS 26). Any device updated within the past year is protected.
2. Enable Lockdown Mode: Google confirmed that Coruna’s PlasmaLoader automatically self-terminates upon detecting Lockdown Mode is active. This is the single most effective real-time defense.
3. Use a Hardware Wallet: Private keys stored on a hardware wallet (Ledger, Trezor) never touch the iOS environment. Even a fully compromised iPhone cannot access funds secured offline in this manner.
4. Purge Sensitive Photos: PlasmaLoader scans photo galleries for wallet QR codes. Delete any images containing seed phrases, private keys, or wallet backup codes—or store them only on offline media.

Security researchers also note that Coruna skips execution when it detects the user is in a private or incognito browsing session—an apparent anti-forensics measure to reduce the digital footprint of the attack. While this is not a reliable or recommended primary defense, it is an interesting behavioral signature that may assist incident responders in attribution.

Also Read: India Digital Arrest Scam Routes ₹10.74 Cr via Crypto Exchanges