Google traces leaked iPhone exploit kit from government use to cybercrime

Google security researchers say a powerful iPhone exploit kit first seen in early 2025 in a spyware operation for a government customer has since turned up in campaigns run by a Russian espionage group and by a financially motivated hacker in China. The toolset, dubbed “Coruna,” can compromise iPhones running iOS 13 through 17.2.1 by chaining 23 vulnerabilities and triggering one of five exploit paths, according to TechCrunch’s account of Google’s findings. iVerify, a mobile security firm that reverse-engineered the kit, says it sees indications the framework originated with a US government customer.

The technical detail matters because Coruna is not a single bug but a packaged capability: a set of exploits designed to be deployed quickly against real targets, including through “watering hole” websites that infect visitors. Once such a kit exists, it becomes an asset that can be copied, traded, and reused long after the original operation ends. Google’s timeline—government use first, then a state-aligned Russian group, then profit-driven criminal use—illustrates how the same capability can migrate across very different threat actors without any public handoff.

The market mechanics are straightforward. A working chain against iPhones is expensive to develop and valuable to keep secret, so it is stockpiled—inside agencies, contractors, and brokers—rather than disclosed to Apple for patching. That stockpile creates a secondary market: if a tool leaks, it can be resold as “secondhand” exploitation to criminals who can monetize it through fraud, extortion, or account takeovers, extracting value from research they did not pay for. iVerify warns that “the more widespread the use, the more certain a leak will occur,” a point sharpened by the number of moving parts—23 vulnerabilities—required to keep Coruna functional.

The pattern is familiar. In 2017, the NSA discovered that its Windows exploitation tools had been stolen; the “EternalBlue” backdoor later powered the WannaCry ransomware outbreak. TechCrunch notes a more recent criminal case in which a former executive at defense contractor L3Harris Trenchant was sentenced after selling exploits to a broker known to work with the Russian government, with prosecutors alleging the exploits could have compromised millions of devices.

Coruna also lands in the middle of a public trust problem for consumer security. Apple’s iPhone security model is marketed as a reason to buy the device, but the practical risk to users is shaped by whether high-end exploits are quietly accumulated and circulated rather than retired through disclosure. The same secrecy that makes an exploit useful to a government targeter also makes it hard for the vendor—and the public—to know when the capability has escaped.

Google says Coruna could compromise devices simply by luring a target to a malicious site. For iPhone owners on older software, the distinction between state surveillance and ordinary cybercrime is increasingly a question of who found the exploit chain last.