The iPhone Hacking Kit Built for the CIA Is Now in Criminal Hands

A Spy Tool Goes Rogue

Security researchers at Google and iVerify revealed in early March 2026 what may be the most significant mobile threat disclosure in years: a sophisticated iOS exploit kit codenamed Coruna that packs 23 individual exploits organized into five complete attack chains. The toolkit can compromise any iPhone running iOS 13 through iOS 17.2.1, covering devices manufactured between 2019 and late 2023.

What makes Coruna exceptional is not just its technical sophistication but its origin. According to iVerify, the exploit kit appears to have been built on the same foundations as known US government hacking tools. It was originally deployed by a customer of a surveillance vendor in highly targeted espionage operations. Then it leaked.

From Espionage to Organized Crime

Google's Threat Intelligence Group tracked the exploit kit's alarming migration. Over the course of 2025, Coruna moved from a surveillance vendor's client to Russian intelligence operatives, who deployed it in watering hole attacks targeting Ukrainian users. A group tracked as UNC6353 used compromised websites to silently deliver the exploits to visitors' iPhones.

But the most troubling development came when Coruna reached China based cybercriminals. The criminal operators retooled the kit entirely, stripping out the espionage modules and replacing them with financial theft capabilities. The modified version targets cryptocurrency wallets, extracting recovery phrases and private keys from compromised devices.

This represents what iVerify calls the first observed mass exploitation of mobile phones by a criminal group using tools likely built by a nation state. The barrier between government grade cyberweapons and street level cybercrime has effectively collapsed.

How the Attack Works

Coruna primarily spreads through watering hole attacks. The criminals set up fake cryptocurrency service websites or compromise legitimate ones. When a victim visits these sites on a vulnerable iPhone, the exploit chain executes silently in the background. There is no prompt, no warning, and no user interaction required.

The five attack chains within Coruna each target different iOS versions, giving operators broad coverage across the iPhone install base. The most advanced chains use non public exploitation techniques and mitigation bypasses that were previously unknown to security researchers.

One notable technical detail: Coruna is designed to detect and skip devices that have Apple's Lockdown Mode enabled or are using private browsing. This suggests the original developers were sophisticated enough to avoid triggering Apple's most aggressive security monitoring.

The Bigger Problem: Exploit Kit Proliferation

Coruna is not the first government exploit to leak into the wild. The Shadow Brokers dump of NSA tools in 2017 gave the world EternalBlue, which powered the WannaCry ransomware outbreak. But Coruna marks a new chapter: this is the first time a comprehensive mobile exploit kit, rather than individual vulnerabilities, has made the jump from government to criminal use.

The commercial spyware industry, which includes companies like NSO Group, Intellexa, and Paragon, develops these tools for government buyers. But the supply chain from vendor to operator to eventual leak creates a pipeline that consistently fails to contain these weapons. Each link in the chain introduces the risk of theft, resale, or unauthorized sharing.

CyberScoop reported that some of the exploits in Coruna may trace back to a US developed framework, raising uncomfortable questions about whether American taxpayer funded cyberweapons are now being used against American citizens.

Who Is at Risk

Anyone running an iPhone on iOS 17.2.1 or earlier is potentially vulnerable. While Apple has patched most of the underlying vulnerabilities in newer iOS versions, the reality is that millions of older devices remain on vulnerable firmware. CISA has already added three of Coruna's exploits to its Known Exploited Vulnerabilities catalog.

The current criminal campaign specifically targets cryptocurrency holders, but the underlying exploit kit is modular. There is nothing stopping operators from swapping in different payloads for different targets: email credential theft, banking trojans, or surveillance implants.

How to Protect Yourself

The most important step is straightforward: update your iPhone to iOS 17.3 or later. Coruna's attack chains do not work against patched devices. If you are running an iPhone that cannot be updated past iOS 17.2.1, you should consider replacing it.

• Enable Lockdown Mode in Settings > Privacy & Security if you are a high risk user. Coruna explicitly avoids devices with Lockdown Mode active.
• Use private browsing when visiting unfamiliar websites, as Coruna also skips private browsing sessions.
• Avoid clicking links to cryptocurrency services from unsolicited messages or social media posts.
• Consider using a hardware wallet rather than storing cryptocurrency recovery phrases on your phone.

The Coruna disclosure is a reminder that the most dangerous hacking tools are not created by criminals in basements. They are built by governments, sold by vendors, and eventually escape into the wild where anyone can use them. Just weeks after Coruna was exposed, researchers discovered a second exploit kit called DarkSword targeting 221 million iPhones, confirming that the threat to mobile security is accelerating.