The March 3, 2026 disclosure of the Coruna exploit kit by Google’s Threat Intelligence Group has forced a serious reassessment of mobile security for cryptocurrency users. Coruna contained five full iOS exploit chains and 23 individual vulnerabilities capable of compromising iPhones running iOS 13.0 through 17.2.1, with a payload specifically designed to exfiltrate cryptocurrency wallet credentials. For advanced users managing significant crypto portfolios on iOS devices, a basic software update is necessary but insufficient. This walkthrough covers the technical configuration of iOS Lockdown Mode, the creation of hardened wallet environments, and the implementation of defense-in-depth strategies that go well beyond default security settings.
The Objective
This tutorial aims to establish a multi-layered security configuration on iOS that neutralizes exploit kits like Coruna even at the operating system level, while maintaining a functional cryptocurrency management workflow. The approach combines Apple’s built-in Lockdown Mode, network-level protections, isolated wallet environments, and operational security practices to create a security posture that withstands both known and unknown mobile threats.
By the end of this walkthrough, you will have a dedicated, hardened iOS configuration for cryptocurrency operations that minimizes the attack surface available to exploit kits, web-based attacks, and local privilege escalation attempts. The configuration is designed to be practical for daily use while providing significantly enhanced protection compared to default iOS settings.
Prerequisites
Before beginning this walkthrough, ensure you have the following: an iPhone running iOS 17.3 or later (to ensure base patching of Coruna-related CVEs including CVE-2024-23222), a hardware wallet such as a Ledger Nano S Plus or Trezor Model T with the latest firmware, a secondary iPhone or iPad dedicated exclusively to cryptocurrency operations if possible, access to your router’s administration panel for network-level DNS configuration, and a basic understanding of iOS Settings navigation and web security concepts.
Optional but recommended tools include a Tor relay for anonymous transaction broadcasting, a Faraday bag for air-gapped device storage, and an Enigma or Cryptosteel seed phrase backup device for physical redundancy.
Step-by-Step Walkthrough
Phase 1: Enabling and Configuring Lockdown Mode
Navigate to Settings, then Privacy and Security, then Lockdown Mode. Toggle Lockdown Mode on and confirm the warning prompt. This immediately disables several iOS features that are commonly exploited: message attachments from unknown senders are blocked, incoming FaceTime calls from unknown numbers are prevented, wired device connections are restricted when the iPhone is locked, and complex web technologies including certain JavaScript just-in-time compilers are disabled. Coruna specifically checks for Lockdown Mode and aborts execution when detected, making this the single most effective mitigation against the kit.
After enabling Lockdown Mode, configure its per-app exclusions carefully. For each cryptocurrency wallet app you use, evaluate whether it requires web browsing capabilities. MetaMask, for example, uses an in-app browser that could be excluded from Lockdown Mode protections if you enable the exclusion. Resist this temptation. Instead, use the wallet app only for signing transactions that you initiate through a separate, hardened browser session.
Phase 2: Network-Level Hardening
Configure your home router to use a DNS filtering service that blocks known malicious domains. Services like NextDNS, Cloudflare Gateway, or Quad9 provide malware domain filtering at the DNS level. This adds a network-layer defense against exploit delivery, since Coruna was delivered through compromised domains. Configure your router’s DHCP settings to distribute the filtered DNS servers to all connected devices automatically.
For on-the-go protection, install a trusted VPN application that includes DNS filtering capabilities. WireGuard paired with a self-hosted VPN server running Pi-hole provides the most control, but commercial options like Mullvad with its DNS blocking feature offer a simpler setup.
Phase 3: Creating an Isolated Wallet Environment
If using a dedicated device for crypto operations, perform a clean iOS installation by erasing all content and settings, then restoring only your wallet applications from the App Store. Do not install social media apps, games, or unnecessary utilities on this device. Each additional app increases the attack surface.
Disable Safari on the crypto device using Screen Time restrictions. Navigate to Settings, Screen Time, Content and Privacy Restrictions, Allowed Apps, and toggle Safari off. Use a hardened browser like Brave with script blocking enabled for any web3 interactions, and close it completely after each session.
Configure automatic iOS updates to install overnight. Navigate to Settings, General, Software Update, and enable Automatic Updates for both iOS updates and Security Response and System Files. This ensures that security patches, including those for vulnerabilities targeted by exploit kits, are applied as quickly as possible.
Phase 4: Transaction Workflow Hardening
Establish a strict transaction workflow that minimizes exposure. When connecting your wallet to a decentralized application, always verify the contract address and chain ID in the signing request. Never sign transactions that request unlimited token approvals. Use a dedicated approval management tool to set specific spending limits before interacting with any new protocol.
For high-value transactions, implement a two-device verification process: review the transaction details on one device, then sign on the hardware wallet while comparing the details displayed on the hardware wallet screen with those shown on the software interface. This protects against man-in-the-browser attacks that could modify transaction parameters between display and signing.
Troubleshooting
If wallet applications behave unexpectedly under Lockdown Mode, this is expected behavior. Lockdown Mode restricts certain web technologies that some wallet apps rely on for their in-app browsers. The solution is to separate the browsing layer from the signing layer: use a standard browser for interacting with dApps, and use the wallet app exclusively for signing the resulting transactions.
If DNS filtering causes legitimate dApp connections to fail, check the DNS filter logs to identify which domains are being blocked. You can whitelist specific domains while maintaining protection against known malicious infrastructure. Common legitimate domains for DeFi interactions include the RPC endpoints for Ethereum mainnet and the API endpoints for wallet connectivity.
If iOS updates fail to install automatically, check that your device has sufficient storage space and is connected to Wi-Fi and power during the scheduled update window. Security Response updates are particularly small and should install without issue on most devices.
Mastering the Skill
The configurations described in this walkthrough represent a strong baseline, but true mobile security mastery requires ongoing adaptation. Subscribe to Apple’s security-announce mailing list to receive immediate notification of new iOS security updates. Follow security researchers who specialize in mobile exploit research, particularly those who track commercial surveillance vendors and exploit kit proliferation.
Periodically audit your security configuration by reviewing Lockdown Mode exclusions, checking DNS filter logs for blocked connection attempts, and verifying that all wallet applications are running their latest versions. Consider conducting quarterly security reviews where you evaluate whether your current configuration still meets the threat landscape.
The Coruna exploit kit demonstrated that even sophisticated, government-grade exploits can proliferate to financially motivated attackers targeting cryptocurrency users. By implementing the defense-in-depth approach outlined in this tutorial, you establish a security posture that remains effective even as the threat landscape evolves.
Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals for personalized guidance.
Lockdown Mode breaks a lot of iMessage and web features but for a dedicated wallet device its worth the tradeoff
defense in depth on iOS is finally getting the attention it deserves. the isolated wallet environment section is particularly useful
The network-level protections section is something most guides skip. VPN plus DNS filtering on a wallet-only device is underrated.