Security researchers have identified a powerful suite of hacking tools that can compromise Apple iPhones running outdated software that government customers have passed into the hands of cybercriminals.
Google said Tuesday that it first discovered an exploit kit called Coruna in February 2025 during a surveillance company’s attempt to hack someone’s phone with spyware on behalf of a government customer. Months later, the same exploit kit was discovered targeting Ukrainian users in a larger campaign by a Russian spy group, and was later discovered to have been used by financially motivated hackers in China.
It’s unclear how the tool was leaked or spread, but Google security researchers warned that “second-hand” attacks are likely in emerging markets. These attacks are sold to hackers looking for money to extract more value from the attacks.
The findings also show how exploits and backdoors designed for government use can be leaked and ultimately exploited by cybercriminals or other non-state actors. Mobile security company iVerify, which obtained and reverse-engineered the hacking tool, said in a blog post that it linked the Koruna exploit kit to the U.S. government based on its similarities to hacking tools previously believed to be American.
“The more widespread its use becomes, the more likely it is that leaks will occur,” iVerify said. “iVerify has some evidence that these tools are leaked U.S. government frameworks, but that should not overshadow the knowledge that these tools will spread out into the wild and be used unscrupulously by bad actors.”
Google said this hacking tool is powerful because it can bypass the iPhone’s defense system simply by visiting a malicious website containing exploit code, such as sending a malicious link in a ‘watering hole’ attack. According to Google, the Coruna kit can hack your iPhone in five ways by leveraging 23 individual vulnerabilities in its digital arsenal and linking them together. Affected devices range from iPhone models running iOS 13 to 17.2.1 released in December 2023.
According to Wired, which first reported the news, the Coruna kit contains components previously used in a hacking campaign called Operation Triangulation. Russian cybersecurity company Kaspersky claimed that the U.S. government attempted to hack several iPhones belonging to its employees in 2023.
Tech Crunch Event
San Francisco, California
|
October 13-15, 2026
It’s rare for hacking tools to get leaked, but it’s not unheard of. In 2017, the U.S. National Security Agency discovered that tools it had developed to hack Windows computers around the world had been stolen. The Windows backdoor known as EternalBlue was later made public and used by cybercriminals in subsequent attacks, including North Korea’s WannaCry ransomware attack in 2017.
TechCrunch recently reported the case of Peter Williams, former CEO of US defense company L3Harris Trenchant. Peter Williams was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to a broker known to be working with the Russian government.
According to prosecutors, Williams sold exploits that allowed him to hack “millions of computers and devices” worldwide. At least one exploit was sold to a Korean broker. It is unclear whether these exploits have been disclosed to software manufacturers or whether patches have been applied.
