A sophisticated iOS exploit kit known as “Coruna” has emerged as a significant threat to cryptocurrency holders, employing five full exploit chains and 23 individual vulnerabilities to compromise iPhones and drain digital wallets. Discovered by Google’s Threat Intelligence Group, the kit represents a troubling convergence of state-grade surveillance tools and financially motivated cybercrime that directly impacts the crypto community.
The Exploit Mechanics
Coruna operates by exploiting vulnerabilities in Apple’s WebKit rendering engine and other iOS subsystems, enabling remote code execution through ordinary web content. The kit targets iPhone models running iOS 13.0, released in September 2019, through iOS 17.2.1, released in December 2023. Among the 23 exploits are several well-documented CVEs, including CVE-2024-23222, a WebKit zero-day patched in early 2024, and CVE-2023-38606 and CVE-2023-32434, which were previously used as zero-days in Kaspersky’s Operation Triangulation discovery.
What makes Coruna particularly dangerous for crypto users is its payload. Once installed on a device, the stager binary scans images on disk for QR codes, searching for keywords like “backup phrase” and “bank account.” It then deploys additional modules designed to exfiltrate cryptocurrency wallet data from popular applications including MetaMask, BitKeep, and other widely used wallet apps. The exploit requires no user interaction beyond visiting a compromised webpage.
Affected Systems
Google’s researchers tracked Coruna’s deployment across three distinct campaigns. In February 2025, it was used by a customer of a commercial surveillance company. By July 2025, a suspected Russian espionage group deployed it in watering hole attacks against Ukrainian websites. Most concerning for the crypto community, in December 2025, the kit appeared on fake Chinese gambling and cryptocurrency websites, marking its transition from espionage to direct financial crime.
Devices running any iOS version between 13.0 and 17.2.1 are potentially vulnerable. This encompasses hundreds of millions of iPhones worldwide, many of which may belong to cryptocurrency users who have not updated their devices. With Bitcoin trading at approximately $72,710 and Ethereum at $2,126 on the date of the latest analysis, the financial stakes for compromised wallets are substantial.
The Mitigation Strategy
Google’s threat intelligence team has confirmed that Coruna is not effective against the latest version of iOS. The primary mitigation is straightforward: update your iPhone to the most recent iOS version available. For users who cannot upgrade, Apple’s Lockdown Mode provides effective protection, as Coruna actively checks for this defensive posture and aborts execution when detected. Using private browsing mode in Safari also neutralizes the exploit kit.
For cryptocurrency holders specifically, additional layers of protection include using hardware wallets for significant holdings, enabling two-factor authentication on all exchange accounts, and avoiding the storage of seed phrases or recovery keys in any digital format accessible to a compromised device.
Lessons Learned
The Coruna case illustrates several critical trends in the cybersecurity landscape. First, the proliferation of exploit kits from state-sponsored actors to financially motivated criminals is accelerating. What was once exclusive espionage infrastructure now threatens everyday crypto users. Second, the exploit kit market appears to have an active “second-hand” trade where sophisticated tools change hands multiple times, each time reaching a broader audience of threat actors.
The fact that the vulnerabilities exploited are mostly years-old issues underscores the importance of timely software updates. Many of the CVEs in Coruna were patched long ago, yet devices running older software remain vulnerable. The crypto community, which often values privacy and decentralization, must also prioritize basic security hygiene.
User Action Required
If you own an iPhone and use it for cryptocurrency transactions, take these steps immediately. First, update to the latest iOS version. Second, enable Lockdown Mode in Settings if you handle significant crypto assets. Third, review your wallet apps and ensure they are updated to their latest versions. Fourth, consider moving high-value holdings to a hardware wallet that remains air-gapped from your mobile device. Finally, never store seed phrases, private keys, or recovery codes in photos, notes, or any app on your phone.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified professionals for your specific situation.
5 full exploit chains and 23 individual vulns in one kit. this is nation state level tooling being used to drain crypto wallets
Scanning images on disk for QR codes to find wallet seeds is next level. Who stores seed phrases as photos on their phone? Apparently enough people to make it worthwhile.
mika youd be surprised. tons of guides still tell newbies to screenshot their seed phrase for backup. thats how we get here