iPhone Crypto Exploit Kit: Google Warns of ‘Coruna’ Seed Phrases Theft

Google Threat Analysis Group (TAG) has identified ‘Coruna’, a sophisticated iPhone crypto exploit kit that has migrated from state-sponsored espionage to mass-market financial theft targeting wallets. The toolkit, which leverages a staggering 23 vulnerabilities across iOS versions 13.0 to 17.2.1, is currently being deployed by cybercriminals to scrape BIP39 seed phrases from iPhone users visiting compromised gambling and fake exchange websites. It represents a significant escalation in mobile threats, effectively placing military-grade surveillance tools into the hands of thieves looking to drain MetaMask and managed wallets.

This discovery reveals a concerning trend of high-end exploits, once reserved for intelligence agencies, being repurposed for wider criminal activities. Apple has addressed the specific vulnerabilities exploited by this kit in iOS 17.3 and later, but the sheer number of devices running outdated software creates a lucrative target. Users visiting these ‘watering hole’ sites are vulnerable to immediate drive-by compromise without any interaction.

A few weeks ago, Apple announce that "iPhone and iPad [are] approved to handle *classified* NATO information" 😂

Turns out even lowly cybercriminals were (ab)using 0days to hack Apple devices 🙈https://t.co/cECbR9QGRZ

— Patrick Wardle (@patrickwardle) March 3, 2026

EXPLORE: Three Solana Platforms Shut Down Following $27M Exploit

The iPhone Crypto Exploit: How the Coruna Kit Targets iPhone Users

The mechanics of the Coruna exploit reveal a level of engineering typically reserved for nation-state actors, not financial fraudsters. Potential victims are lured to malicious websites masquerading as legitimate services, often fake versions of the WEEX exchange or obscure gambling portals, where a hidden JavaScript framework fingerprints the visitor’s device. If the script detects a vulnerable iPhone model, it silently delivers a WebKit remote code execution (RCE) payload, bypassing Apple’s Pointer Authentication Code (PAC) protections to gain system-level access.

Once inside the device, the malware does not bother with ransomware tactics; it goes directly for the keys to the vault. The kit initiates a scan of the file system, specifically looking for data associated with popular self-custody apps, executing a highly targeted seed phrase theft operation. It hunts for cached images of QR codes, unencrypted notes containing backup strings, and specific application data containers for wallets like MetaMask and BitKeep. The stolen data involves the exfiltration of the 12-to-24-word BIP39 mnemonic phrases that grant full control over a user’s funds, which are then transmitted to command-and-control servers via encrypted channels.

It is worth noting that this process occurs entirely in the background. The exploit chain includes sophisticated mitigation bypasses that allow it to operate without crashing the browser or alerting the user, making it particularly lethal for investors who manage high-value portfolios on mobile devices. The Coruna toolkit also employs unique obfuscation techniques to hide its traffic, complicating detection by standard mobile security filters.

EXPLORE: Shiba Inu Team Issues Critical Scam Alert on Fake SOU Recovery

The Timeline: What Google TAG Found

Google TAG’s attribution points to a chaotic market for “second-hand” cyberweapons. Initially tracked by a commercial surveillance vendor, the current wave of financial attacks is attributed to UNC6691, a financially motivated threat actor based in China. This group seems to have acquired the complete exploit kit after it was already used by UNC6353, a suspected Russian espionage group targeting Ukrainian infrastructure in mid-2025.

The shift from espionage to theft suggests that once a zero-day vulnerability enters the wild, its commodification is inevitable. UNC6691 has deployed the kit broadly, moving away from the precise targeting of their Russian predecessors to a “cast a wide net” approach suitable for an iPhone crypto exploit. This democratization of advanced scams complicates the defense landscape significantly, as tools designed to bypass government-level security are now being trained on retail crypto investors.

EXPLORE: Best New Cryptocurrencies in 2026 – Recently Launched Coins & Investment Watchlist

iPhone Users Holding Crypto: Are You at Risk?

The specific victim profile for this campaign is surprisingly narrow but highly vulnerable: iPhone users who have failed to update their devices past iOS 17.2.1 and who engage in high-risk browsing behaviors. If you use an older device to trade on obscure decentralized exchanges or visit grey-market gambling sites, you are essentially walking through a minefield. The most critical defensive step is to update to the latest version of iOS immediately, as the Coruna exploit relies on vulnerabilities that Apple has already patched.

For users unable to update their hardware, enabling Apple’s Lockdown Mode offers a strong defence against this specific iOS vulnerability. It restricts complex web technologies like Just-in-Time (JIT) JavaScript compilation, which the exploit relies on to execute its code. Additionally, serious investors should treat their mobile devices as compromised.

Never store seed phrases in screenshots or notes apps, and consider using a hardware wallet that requires physical confirmation for transactions. It’s simple: if your phone can be compromised by visiting a website, your hot wallet isn’t safe; it’s a donation box. Stay vigilant.

DISCOVER: What is the Next Crypto to Explode in 2026?

Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.

News