The US Government Built an iPhone Hacking Kit With 23 Exploits. Then It Leaked.

A Government Toolkit Goes Rogue

On March 3, 2026, Google's Threat Intelligence Group and mobile security company iVerify published joint research on Coruna, an exploit kit that chains 23 vulnerabilities across five complete attack paths to compromise iPhones running iOS 13 through 17.2.1. The kit represents one of the most sophisticated iOS exploitation frameworks ever publicly documented.

What makes Coruna unusual is not just its technical sophistication. It is where it came from. iVerify co-founder Rocky Cole described the codebase as "superb," "elegantly written," and "fluid." The code contained comments written by native English speakers with references that Cole characterized as "reminiscent of the sort of insider jokes" typical of US defense industry developers. Both research teams believe the framework was originally built by or for the US government.

Then it leaked. Google documented the same exploit kit being used first by a commercial surveillance vendor on behalf of a government client, then by a Russian espionage group targeting Ukrainian users, and finally by financially motivated Chinese cybercriminals. At least 42,000 devices were compromised, a number described as massive for the iOS platform.

How the Attack Works

The attack begins when a victim visits a compromised website. A hidden iframe loads JavaScript that quietly fingerprints the device, checking the iPhone model, iOS version, and security configuration. Based on this profile, the kit selects the appropriate exploit chain from its arsenal of 23 vulnerabilities.

The exploits target WebKit, the browser engine that powers Safari and all other iOS browsers. Notable vulnerabilities weaponized in the kit include:

• CVE-2024-23222: A WebKit type confusion bug targeting iOS 16.6 through 17.2.1
• CVE-2023-43000: A WebKit use after free flaw for iOS 16.2 through 16.5.1
• CVE-2023-38606 and CVE-2023-32434: Previously exploited as zero days in Operation Triangulation

After achieving remote code execution through WebKit, the kit bypasses Apple's Pointer Authentication Code protections, escalates privileges, and installs persistent malware. The Chinese cybercriminal group deployed a payload called PlasmaLoader that targeted cryptocurrency wallets, exfiltrating data from MetaMask, Exodus, and Bitget Wallet using domain generation algorithms for command and control communication.

The Connection to Operation Triangulation

Coruna shares multiple exploits with Operation Triangulation, a campaign Kaspersky discovered in 2023 that targeted Russian entities with iOS spyware. That operation was widely attributed to the US government by Russian security researchers, though American officials never confirmed involvement.

The overlap is significant. Two of the exact zero day exploits used in Operation Triangulation appear in Coruna's arsenal, suggesting both tools share a common origin or that Coruna's developers had access to the same vulnerability research. Apple released multiple patches in response to both campaigns and collaborated directly with Google on the Coruna investigation.

The Secondhand Exploit Market

Google observed that "how this proliferation occurred is unclear, but suggests an active market for secondhand zero day exploits." The implication is troubling. Offensive hacking tools built at enormous expense by nation states are now circulating among criminals and hostile intelligence services.

This is not the first time government hacking tools have leaked. In 2017, the Shadow Brokers released NSA exploit tools that were later repurposed in the WannaCry ransomware attack, causing billions of dollars in damage worldwide. Coruna represents a similar pattern: capabilities developed for targeted intelligence operations becoming available for mass exploitation.

The difference with Coruna is that it targets iPhones, devices that hundreds of millions of people trust with their most sensitive communications, financial data, and personal information. When government exploit stockpiles leak, the security assumptions that ordinary users rely on collapse.

Who Is at Risk

Coruna is not effective against the latest versions of iOS. Users running iOS 17.3 or later are protected against the specific exploits in this kit. However, anyone using an older iPhone that no longer receives updates, or who has delayed updating their device, remains vulnerable.

The kit also skips devices running in Lockdown Mode or using private browsing, indicating that Apple's existing security hardening measures are effective against this class of attack.

To protect yourself:

• Update iOS immediately. The exploits in Coruna target versions 13 through 17.2.1. If your device supports iOS 17.3 or later, update now.
• Enable Lockdown Mode if you face elevated security risks. It disables attack surfaces that Coruna relies on.
• Replace unsupported iPhones. Devices that no longer receive iOS updates cannot be patched against these exploits.
• Avoid clicking unfamiliar links. The attack requires visiting a compromised website to trigger the exploit chain.

The Bigger Problem

Coruna is a reminder that the security of consumer devices depends on a fragile equilibrium. Governments stockpile vulnerabilities for offensive operations. Surveillance vendors package them into commercial products. And when those products leak, as they inevitably do, the same exploits that were meant for targeted intelligence operations become tools for mass cybercrime.

The debate over government vulnerability stockpiling is not new. But Coruna adds fresh evidence that the risks of hoarding zero days outweigh the intelligence benefits. When a single leaked toolkit can compromise 42,000 iPhones across three continents, the argument for responsible disclosure over indefinite stockpiling becomes harder to dismiss.