Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 13, 2026 · 6 min read

The iPhone Hacking Kit Built for the CIA Is Now in Criminal Hands

A sophisticated exploit toolkit originally developed for U.S. intelligence was stolen, sold to Russia, and is now being deployed by Chinese cybercriminals against ordinary users.

Disassembled iPhone on dark metal surface with diagnostic cables and magnifying glass revealing hidden code

From Five Eyes to the Black Market

In early March 2026, Google's security team and mobile security firm iVerify jointly revealed the existence of Coruna—a nation state grade iOS exploit kit containing 23 individual exploits organized into five complete attack chains. The toolkit targets iPhones running iOS 13 through iOS 17.2.1, covering years of Apple devices still in active use worldwide.

The origin is what makes this story extraordinary. Coruna was built by Trenchant, the hacking and surveillance division of L3Harris Technologies, one of the largest U.S. defense contractors. The toolkit was designed for use by the United States and its Five Eyes intelligence partners—the UK, Canada, Australia, and New Zealand.

It was never supposed to leave that circle. But it did.

The $1.3 Million Betrayal

Peter Williams, a former general manager at Trenchant, allegedly stole eight of the company's exploitation tools and sold them to Operation Zero, a sanctioned Russian exploit broker, for $1.3 million. Operation Zero specializes in buying and reselling zero day vulnerabilities to Russian government clients and intelligence services.

From there, the exploits entered the hands of Russian intelligence operatives, who deployed them against targets in Ukraine as part of ongoing cyber operations in the conflict. Google's threat analysis group traced the exploit chains to active Russian state sponsored campaigns targeting Ukrainian officials, military personnel, and civil society organizations.

From Espionage to Mass Exploitation

The story takes an even darker turn. Researchers identified a threat cluster tracked as UNC6691—linked to Chinese cybercriminals—deploying the same Coruna exploit kit at scale. A network of fake Chinese finance websites was discovered instructing visitors to "use an iPhone or iPad for a better experience," then silently delivering the exploits to anyone who complied.

This marks a first: spyware grade capabilities, originally built for targeted intelligence operations, being used in mass exploitation campaigns against ordinary users. iVerify researchers called it "one of the most significant examples of sophisticated spyware grade capabilities proliferating from commercial surveillance vendors into the hands of nation state actors and ultimately mass scale criminal operations."

What Coruna Can Do

The Coruna exploit kit chains together multiple vulnerabilities to achieve complete device compromise without any user interaction beyond visiting a malicious webpage. Once deployed, attackers can:

  • Access all messages, emails, and photos stored on the device
  • Activate the microphone and camera remotely
  • Extract encryption keys and authentication tokens
  • Monitor real time location data
  • Intercept end to end encrypted communications before encryption is applied

Apple has since released security updates for older iOS devices targeted by one of Coruna's WebKit exploits, but the full scope of the toolkit means many attack vectors may remain unpatched on devices running older iOS versions.

The Proliferation Problem

Coruna illustrates a fundamental problem with government hacking tools: once they exist, controlling who uses them becomes nearly impossible. The same pattern has played out before—the NSA's EternalBlue exploit was stolen and used in the devastating WannaCry ransomware attack in 2017. Israel's NSO Group sold Pegasus spyware to governments that used it against journalists and activists.

What makes Coruna different is the speed of proliferation. A toolkit built for the most restricted intelligence community in the world went from classified asset to Russian espionage tool to mass market criminal weapon in a matter of months. The pipeline from government contractor to black market to mass exploitation is getting shorter.

How to Protect Yourself

While no consumer tool can fully defend against nation state exploits, reducing your exposure is still possible:

  • Update your iPhone immediately—Apple's latest patches address known Coruna exploit chains
  • Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) if you face elevated risk
  • Be wary of unfamiliar links, especially those that insist you open them on a specific device
  • Use a mobile security tool like iVerify to scan for indicators of compromise
  • Avoid clicking links in unsolicited emails—web based exploit chains rely on getting you to a malicious page

The Bottom Line

The Coruna saga proves that the line between government surveillance tools and criminal hacking kits is vanishing. When a single insider can sell classified exploits for $1.3 million, and those exploits can travel from intelligence agencies to organized crime in months, the entire premise of building offensive cyber weapons becomes a liability. Every exploit a government stockpiles is one leak away from being used against the people it was meant to protect.