The kit, dubbed “Coruna”, targets iPhones running iOS 13.0 through 17.2.1 and hunts for seed phrases and apps such as MetaMask and Uniswap.
Researchers at Google’s Threat Intelligence Group (GTIG) have identified a new exploit kit targeting Apple iPhone users with the goal of stealing crypto wallet seed phrases and other financial data. The discovery was made public in a report released on March 3.
The kit, named “Coruna” by its developers, targets iPhone devices running iOS versions from 13.0 through 17.2.1. According to GTIG, Coruna features “five complete iOS exploit chains and a total of 23 exploits,” including some that were previously unknown. Google’s team first identified the kit in February 2025 and subsequently tracked its use by a suspected Russian espionage group against Ukrainian users, before later finding it deployed on fraudulent Chinese crypto websites.
GTIG reconstructed the chain of events: in February 2025, it detected parts of the iOS exploit within a system in which a surveillance company’s client was using JavaScript to fingerprint devices and deliver the appropriate exploit. Later, the same JavaScript framework was found embedded in multiple compromised Ukrainian websites, where it was “delivered only to specific iPhone users originating from a defined geolocation.” By December of the same year, the framework had been spotted on “a very large set of fake Chinese websites, mostly finance-related,” including one impersonating the exchange WEEX.
When a user visits one of these sites on an iOS device, the framework activates the kit, which searches for financial information by scanning text for seed phrases and keywords such as “backup phrase” or “bank account.” The kit also targets popular crypto apps, including Uniswap and MetaMask, in order to extract funds or sensitive data.
GTIG noted that the kit does not work against the most recent versions of iOS and urged all iPhone users to update their devices to the latest available version of the operating system. For those unable to perform the update, the recommendation is to enable “Lockdown Mode,” which Apple identifies as an effective measure against sophisticated attacks.
