The Google Threat Intelligence Group (GTIG) released a report on Wednesday revealing that a new iPhone vulnerability exploitation toolkit called Coruna has been deployed in large-scale cryptocurrency scam operations. Security firm iVerify disclosed that Coruna may originate from the U.S. government and was repurposed by adversaries and cybercriminal groups after losing control.
Technical Analysis of the Coruna Toolkit: How It Targets and Steals Crypto Wallets
(Source: Mandiant)
Coruna employs JavaScript technology to fingerprint iOS devices accessing fake websites, automatically deploying exploit code once the target version is identified. Once the device is compromised, the toolkit systematically searches for the following sensitive information:
Crypto Mnemonics: Locally stored text containing keywords like “backup phrase” and “seed phrase”
Popular Crypto Applications: Targeting decentralized wallet apps such as Uniswap and MetaMask to extract keys or account data
Financial Account Information: Simultaneously searching for bank accounts and other sensitive payment data
GTIG confirmed that Coruna is incompatible with the latest iOS versions and strongly recommends all iPhone users update their systems immediately. Those unable to upgrade should enable Apple’s “Lockdown Mode,” which Apple states can effectively defend against highly sophisticated targeted attacks.
From Intelligence Operations to Crypto Scam Websites: Two Propagation Paths of Coruna
GTIG’s tracking shows that Coruna has gone through two distinct phases of use. Initially, suspected Russian intelligence used compromised Ukrainian websites to target specific geographic iPhone users, exhibiting typical intelligence-gathering behavior.
In December 2025, GTIG discovered the same JavaScript framework within a large network of fake Chinese financial websites, including a counterfeit site mimicking the cryptocurrency exchange WEEX. When iOS users visit these fake sites, the toolkit automatically extracts financial information in the background, prioritizing crypto wallet mnemonics, posing a direct threat to assets and transforming the original intelligence tool into a large-scale cryptocurrency scam operation.
Attribution Controversy: Is It a U.S. Government Tool or Commercial Spyware?
The most debated aspect of this incident is Coruna’s potential origin. iVerify co-founder Rocky Cole told WIRED that the toolkit “is highly complex, developed at a cost of millions of dollars, and features modules publicly attributed to the U.S. government,” suggesting this may be “the first case of a U.S. government tool being hijacked and exploited by adversaries and cybercriminal groups.”
However, Kaspersky’s chief security researcher disagrees, stating that “no evidence of actual code reuse has been found in the published reports” to support this attribution. GTIG also did not disclose the identity of the initial monitoring client using Coruna, leaving the attribution question unresolved for now.
Frequently Asked Questions
Does the Coruna toolkit affect the latest iPhone versions?
GTIG confirms that all five exploit chains of Coruna target iOS versions 13.0 to 17.2.1, which are incompatible with the current latest iOS system. All iPhone users should update their systems immediately. Those unable to upgrade should enable “Lockdown Mode” to reduce risk.
How did Google discover Coruna being used in crypto scams?
In February 2025, GTIG identified parts of the toolkit’s code, tracing it back to the same JavaScript framework on compromised Ukrainian websites. Later, it was fully deployed across a large network of fake Chinese websites mimicking WEEX, confirming the toolkit’s transition from intelligence gathering to large-scale crypto scam tool.
How can I protect my crypto mnemonics from being stolen by such tools?
Besides updating iOS immediately, it is recommended to store mnemonics offline on cold storage devices (like hardware wallets or paper backups). Avoid storing mnemonics in plaintext on any internet-connected device, and verify the authenticity of all crypto-related websites to prevent visiting untrusted financial sites.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
The Strait of Hormuz is set to be blocked effective tonight: Trump officially orders the interception of Iranian vessels, and oil prices surge past $102
U.S. President Trump announced a blockade of the Strait of Hormuz and will have it take effect on April 12; oil prices promptly surged. The U.S. military will intercept ships bound for Iran, but it will not affect shipping from other Persian Gulf countries. This move intensifies the global energy crisis, with oil prices breaking above $100, which could affect inflation and central bank policy. The market is also watching how geopolitical risk could impact risk assets.
ChainNewsAbmedia22m ago
Trump Threatens to Impose 50% Tariffs on China: Intelligence Says China Plans to Deliver Air-Defense Weapons to Iran
U.S. President Trump threatens to impose an additional 50% tariff on China, claiming China is preparing to deliver air defense systems to Iran. This has heightened tensions between the U.S. and China. Trump’s threat is largely political pressure, and implementation would require legal procedures. China denies providing military aid and calls for restraint. The incident shakes the market, drives up oil prices, and affects the outlook for cryptocurrency.
ChainNewsAbmedia34m ago
U.S.-Iran talks break down! The U.S. blocks the Strait and is considering restarting airstrikes. Iran: prepared to miss cheap oil
The peace talks between Iran and the United States have broken down. The U.S. has blockaded the Strait of Hormuz and is considering airstrikes, causing international oil prices to break above $100. Bitcoin has fallen below $71,000. Experts warn that the world is facing a severe crude-oil supply shock, and stored oil is about to run out.
CryptoCity1h ago
The American Bankers Association criticizes the White House’s stablecoin report, saying it overlooks the core risks of interest-bearing stablecoins
The American Bankers Association criticized the stablecoin report released by the White House Council of Economic Advisers, saying its analysis was wrong. It emphasized that allowing stablecoins to pay interest would lead to local banks’ deposits flowing out and would tighten credit, countering the report’s claim about the effects of the proposed ban.
GateNews1h ago
The Hong Kong Innovation and Technology Bureau signed a memorandum of cooperation with the National Cyberspace Administration of China, covering areas including AI, cross-border data flows, and blockchain.
Gate News message. On April 13, the Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region Government announced that it has signed with the National Internet Information Office a Memorandum of Understanding on Cooperation for the Development of Innovation and Technology, with the aim of promoting high-quality development of the digital economy empowered by technological innovation. The Memorandum of Understanding covers key areas such as artificial intelligence, cross-border data, and blockchain. The objective of the Memorandum of Understanding is to further implement the country’s national “15th Five-Year Plan”, support Hong Kong in building an international innovation and technology center, and promote the development of a new real-economy led by technological innovation.
GateNews2h ago
The U.S. military announced a blockade in waters east of the Strait of Hormuz, and all vessels must obtain authorization to pass through.
Gate News update. On April 13, a notice to seafarers showed that the U.S. military announced it will impose a blockade in the Arabian Sea and the Gulf of Oman east of the Strait of Hormuz. According to the notice, any vessel that enters or leaves the blockade area without authorization will be intercepted, diverted, and detained. The blockade measure applies to all maritime traffic, regardless of the flag the vessel flies.
GateNews2h ago
