March 5 News: Google Threat Intelligence Group (GTIG) recently released a security report stating that researchers have discovered a new iPhone exploit toolkit called “Coruna,” used to steal cryptocurrency wallet mnemonics and financial information. The toolkit targets devices running iOS 13.0 to 17.2.1 and launches targeted attacks through multiple exploit chains, drawing significant attention in the mobile security field.
The report shows that “Coruna” contains five complete iOS exploit chains, involving a total of 23 security vulnerabilities, some of which have never been publicly disclosed before. Google researchers said they first identified related attack activity in February 2025 and found that the tool was initially suspected to be used by Russian espionage groups for cyberattacks against Ukrainian users. It was later used to impersonate financial and crypto-related websites to trick users into revealing information.
The attack mainly relies on malicious web pages delivering exploit code. When iPhone users visit specific sites, JavaScript frameworks on the pages perform device fingerprinting, verify the system version, and then load the corresponding exploit chain. Researchers found the same framework on multiple compromised Ukrainian websites and noted that the attack code was only sent to iPhones in certain regions.
In December 2025, the team further detected the same framework on numerous fake Chinese-language websites related to financial services, including counterfeit crypto platform pages. Once victims access these sites on iOS devices, the tools scan for sensitive information such as mnemonic phrases, backup words, or bank account details, and attempt to read data from common crypto wallet apps to gain control of digital assets.
Google states that this exploit toolkit currently cannot run on the latest iOS versions, and recommends iPhone users upgrade their systems promptly. If upgrading is not possible, users can enable Apple’s “Lockdown Mode” to defend against complex network attacks.
Meanwhile, discussions about the origin of “Coruna” have also sparked controversy. Rocky Cole, co-founder of mobile security firm iVerify, told media that the tool is highly complex, with development costs possibly reaching millions of dollars, and shares some modules similar to those used in U.S. government cyber tools. However, Kaspersky security experts said there is currently not enough evidence to directly link its code to any known tools.
Security experts warn that cryptocurrency users should be vigilant against phishing pages and update their devices promptly when using mobile wallets or visiting related websites to reduce the risk of mnemonic leaks and digital asset theft.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Aave Sees $15.1B Deposit Outflow in 3.5 Days After KelpDAO Exploit, Stani Kulechov Outlines Recovery Efforts
Gate News message, April 23 — Aave founder Stani Kulechov outlined coordinated recovery efforts on April 22 following the KelpDAO incident, stating that the platform's priority remains protecting users and achieving orderly market conditions. He noted that teams have been working continuously with m
GateNews34m ago
Peter Schiff calls the Strategy STRC a Ponzi scheme, criticizing the SEC for inadequate regulation
Bitcoin critics and gold supporter Peter Schiff posted on X on April 23, saying that the STRC perpetual preferred stock introduced by MicroStrategy (Strategy) is “the most obvious Ponzi scheme to date,” and criticizing the U.S. Securities and Exchange Commission (SEC) for failing to effectively stop Michael Saylor from promoting STRC.
MarketWhisper1h ago
China Investment Guarantee Issues Statement Denying Unauthorized Use of Name in Fake Financial Products
Gate News message, April 23 — China Investment Guarantee (CITIC Guarantee) issued a statement on April 23 clarifying that unauthorized individuals have falsely claimed the company is partnering with Nippon Life India Asset Management (Singapore) Pte. Ltd., commonly known as NAMS, and is
GateNews2h ago
Vercel CEO Reports Broader Malware Distribution Following Security Investigation, API Keys Targeted
Gate News message, April 23 — Vercel CEO Guillermo Rauch announced that the company has completed an in-depth security investigation spanning nearly 1 petabyte of complete Vercel network and API logs, extending well beyond the initial Context.ai account breach.
The investigation revealed that
GateNews4h ago
Crypto Hacks Fuel Wall Street Tokenization Debate
High-profile crypto exploits test DeFi risk yet unlikely derail tokenization; institutions favor permissioned chains, while broader tokenization must interoperate with DeFi; stablecoins face scrutiny and possible regulatory backlash.
CryptoFrontier12h ago
Volo Protocol Loses $3.5M in Sui Hack, Commits to Absorb Losses and Freeze Hacker Funds
Gate News message, April 22 — Volo Protocol, a yield vault operator on Sui, announced yesterday (April 21) that it has begun freezing stolen assets following a $3.5 million exploit. Hackers looted WBTC, XAUm, and USDG from Volo Vaults, marking the latest major DeFi security breach in a
GateNews16h ago
