Security researchers have discovered a series of cyberattacks targeting Apple customers around the world. The tools used in these hacking campaigns are called Coruna and DarkSword and have been used by government spies and cybercriminals to steal data from people’s iPhones and iPads.
Large-scale hacks targeting iPhone and iPad users are rare. The only precedent in the past decade has been China’s attacks on Uyghur Muslims and people in Hong Kong.
Now some of these powerful hacking tools have leaked online, potentially putting hundreds of millions of iPhones and iPads running outdated software at risk of data theft.
We break down what we know and don’t know about these latest iPhone and iPad hacking threats, and what you can do to stay protected.
What is Koruna and Dark Sword?
Coruna and DarkSword are two sets of advanced hacking toolkits that contain a variety of exploits that can break into iPhone and iPad respectively and steal personal data, including messages, browser data, location history, and cryptocurrency.
Security researchers who discovered the toolkit said Coruna’s exploit can hack iPhones and iPads running iOS 13 through iOS 17.2.1, released in December 2023.
However, according to security researchers at Google who are examining the code, DarkSword contained an exploit that could hack iPhones and iPads running the latest devices running iOS 18.4 and 18.7, released in September 2025.
But DarkSword’s threat is more immediate to the general public. Someone leaked a portion of DarkSword and posted it on the code-sharing site GitHub, making it easy for anyone to download the malware and launch their own attacks targeting Apple users running older versions of iOS.
How do Koruna and Darksword work?
This type of attack is by definition indiscriminate and dangerous, as it can trap anyone who visits a specific website hosting malicious code.
Contact us
Do you have additional information about DarkSword, Coruna, or other government hacking and spyware tools? You can contact Lorenzo Franceschi-Bicchierai securely via Signal at +1 917 257 1382 from a non-work device, or via Telegram, Keybase and Wire @lorenzofb or via email.
In some cases, victims can be hacked simply by visiting legitimate websites that are controlled by malicious hackers.
When a victim is first infected, Coruna and DarkSword can steal personal data by exploiting several vulnerabilities in iOS that allow hackers to take virtually complete control of the target device. The data is then uploaded to a web server operated by the hacker.
As TechCrunch previously reported, parts of the Coruna toolkit were originally developed by Trenchant, the hacking and spyware division of U.S. defense contractor L3Harris, which sells exploits to the U.S. government and top allies.
Kaspersky also linked two exploits in Coruna’s toolkit to Operation Triangulation. This triangulation operation is likely a government-led cyberattack targeting Russian iPhone users.
After Trenchant developed Coruna (it’s unclear how), it found these exploits finding their way into the hands of Russian spies and Chinese cybercriminals, possibly through one or more intermediaries selling the exploits on underground markets.
Coruna’s trip showed once again that powerful hacking tools, including those developed for the United States under strict secrecy restrictions, can be leaked and spread uncontrollably.
One example of this is when an exploit developed by the US National Security Agency was leaked online in 2017 that could remotely infiltrate Windows computers around the world. The same exploit was used in the devastating WannaCry ransomware attack that indiscriminately hacked hundreds of thousands of computers around the world.
For DarkSword, researchers observed attacks targeting users in China, Malaysia, Türkiye, Saudi Arabia, and Ukraine. It’s unclear who first developed DarkSword, how other hacking groups came into existence, or how the tool was leaked online.
It is unclear who leaked and posted the information online on GitHub, or why it was leaked.
The hacking tools seen by TechCrunch are written in the web languages HTML and JavaScript, making them relatively easy to configure and self-host anywhere for anyone looking to launch a malicious attack. (TechCrunch does not link to GitHub because the tools could be used in malicious attacks.) Researchers posting to X have already tested the leaked tools by hacking their own Apple devices running vulnerable versions of the company’s software.
As Justin Albrecht, principal researcher at mobile security company Lookout, explained to TechCrunch, DarkSword is now “essentially plug and play.”
GitHub told TechCrunch that it has not removed the leaked code but will preserve it for security research.
“GitHub’s Acceptable Use Policy prohibits posting content that directly supports illegal active attacks or malware campaigns that cause technical harm,” Jesse Geraci, GitHub’s online safety attorney, told TechCrunch. “However, we do not prohibit the publication of source code that could be used to develop malware or exploits because the publication and distribution of such source code has educational value and provides a net benefit to the security community.”
Is my iPhone or iPad vulnerable to DarkSword?
If you have an iPhone or iPad that is not up to date, we recommend that you update immediately.
Apple told TechCrunch that users running the latest versions of iOS 15 through iOS 26 are already protected.
According to iVerify: “We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities exploited in these attack chains.”
According to Apple’s own statistics, nearly one in three iPhone and iPad users are still not running the latest iOS 26 software. This means that with Apple promoting over 2.5 billion active devices worldwide, there are potentially hundreds of millions of devices vulnerable to these hacking tools.
What if I can’t or don’t want to upgrade to iOS 26?
Apple also says that devices running Lockdown Mode, an additional security feature first introduced in iOS 16, also block these specific attacks.
Lockdown mode helps journalists, dissidents, human rights activists and anyone who feels they could be targeted for who they are or what they do.
Although Lockdown Mode is not perfect, there is currently no public evidence that hackers have been able to bypass Lockdown Mode’s protections. (We asked Apple if that claim still stands, and will update when we hear back.) Lockdown mode was found to have thwarted at least one attempt to plant spyware on a human rights activist’s phone.
