If you hold cryptocurrency and use an iPhone to manage your wallets, the news about the Coruna exploit kit that came to light on March 3, 2026 should be on your radar. Google’s Threat Intelligence Group revealed that a powerful iOS exploit kit containing five full exploit chains and 23 individual vulnerabilities had been circulating among multiple threat actors throughout 2025 — and it was ultimately used to target cryptocurrency wallets through fake gambling and exchange websites. With Bitcoin trading at $68,293 and Ethereum at $1,982 on the day of the revelation, the stakes for everyday crypto users have never been higher. This guide walks you through what happened, why it matters, and what you can do to protect yourself.
The Basics
Coruna is what security researchers call an “exploit kit” — a collection of pre-built tools that attackers use to hack into devices. Think of it like a master key ring that can open many different locks. In this case, the locks are security features in Apple’s iOS operating system, and the keys are software exploits that take advantage of programming flaws.
The kit targeted iPhones running iOS versions from 13.0 (released in September 2019) through 17.2.1 (released in December 2023). That means any iPhone that had not been updated to the latest iOS version was potentially vulnerable. The exploits worked through ordinary web browsing — simply visiting a compromised website with a vulnerable iPhone could trigger the attack without any action from the user.
What made Coruna particularly dangerous for crypto users was its payload. Once installed on a device, the malicious software could scan for cryptocurrency wallet applications like MetaMask and BitKeep, decode QR codes stored on the device looking for backup phrases, and exfiltrate sensitive wallet data to the attackers. In essence, it was designed to steal your crypto credentials directly from your phone.
Why It Matters
The Coruna case matters for several reasons that directly affect anyone holding cryptocurrency. First, it demonstrates that mobile devices are active targets for financially motivated attackers. The exploit kit evolved from a commercial surveillance tool used by governments to a weapon deployed against ordinary crypto users through fake websites. This progression shows that sophisticated hacking tools do not remain exclusive to state-sponsored attackers — they trickle down to criminals who target everyday people.
Second, the attack vector — web browsing — is something every smartphone user does daily. There was no suspicious link to click, no app to install, no obvious sign that anything was wrong. The compromised websites looked legitimate, including fake versions of real cryptocurrency exchanges. Users who simply visited these sites on an outdated iPhone could have their wallets compromised silently.
Third, the exploit targeted seed phrases and wallet credentials. If an attacker obtains your seed phrase, they have complete control over your cryptocurrency. No amount of two-factor authentication or strong passwords can protect you once your seed phrase is compromised.
Getting Started Guide
Protecting yourself from threats like Coruna requires a few straightforward but essential steps. Here is what every crypto holder should do immediately:
Step 1: Update your iPhone. Coruna does not work against the latest version of iOS. Go to Settings, then General, then Software Update, and install any available updates. This single action eliminates the vast majority of the risk.
Step 2: Enable Lockdown Mode if you cannot update. If you have an older device that cannot run the latest iOS, Apple offers a feature called Lockdown Mode that disables many of the features that exploit kits rely on. Find it in Settings, then Privacy and Security, then Lockdown Mode. Coruna specifically checks for Lockdown Mode and avoids execution when it is active.
Step 3: Move large holdings to a hardware wallet. Hardware wallets like Ledger or Trezor store your private keys offline, making them immune to mobile exploits. Use your iPhone wallet only for small amounts you need for daily transactions.
Step 4: Never store seed phrases digitally. Write your seed phrase on paper or engrave it on metal. Never photograph it, type it into a notes app, or save it as a file on your phone. Coruna specifically searched device storage for images containing seed phrases.
Step 5: Verify website URLs carefully. The attackers used fake versions of real exchanges. Always double-check the URL before connecting your wallet or entering credentials. Bookmark your frequently used sites to avoid landing on impostor pages.
Common Pitfalls
Many users make the mistake of thinking that because they use reputable wallet apps, they are protected. Coruna demonstrates that the vulnerability can exist at the operating system level, below the wallet application. Even the most secure wallet app cannot protect you if the operating system itself has been compromised.
Another common mistake is delaying software updates. Apple releases iOS updates regularly to patch security vulnerabilities, and the exploits in Coruna were patched over time in various iOS updates. Users who postpone updates leave themselves exposed to known, documented vulnerabilities.
Some users also assume that because they do not visit suspicious websites, they are safe. The Coruna watering hole attacks in July 2025 were delivered through legitimate Ukrainian websites that had been compromised with hidden code. You do not need to visit a shady website to be affected.
Next Steps
After completing the immediate protection steps above, consider building a more comprehensive security posture for your cryptocurrency holdings. Research multi-signature wallets for shared funds, learn about air-gapped signing devices for maximum security, and stay informed about emerging mobile threats by following security research from organizations like Google’s Threat Intelligence Group and CertiK.
The crypto ecosystem rewards those who take security seriously. Coruna was a wake-up call — make sure you are listening.
Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always consult with qualified professionals for personalized guidance.
5 full exploit chains, 23 vulnerabilities, all targeting crypto wallets through fake gambling sites. if youre on iOS 17.2 or below update NOW
ios 17.2 and below means this affected phones from 2019 through late 2023. thats a massive install base. the fake gambling site angle specifically targets casual crypto users who wouldnt check urls
r00t_access 4 years of affected devices is massive. the fake gambling site targeting was clever, casual users dont check urls when they think they are on a betting site
google finding this is kinda ironic considering chrome has its own exploit kit problem every other month
to be fair, google finding it before apple did is the real story here. chrome vulnerability reward program catches a lot but this was their threat intel team doing actual offensive research
Good beginner writeup. The master key analogy actually works well for explaining exploit kits to non-technical people.
^ helpful guide but honestly if youre holding serious bags on a phone, a hardware wallet is 50 bucks well spent
hw_wallet_evangelist exactly. 50 bucks for a ledger or trezor is cheaper than losing everything to a drive by exploit on a fake gambling site
5 exploit chains and 23 vulnerabilities in one kit. this wasnt some hobby project, nation state level tooling being sold to target crypto wallets