3 min
6 Mar 26
Google Warns Of Crypto Scams Targeting Older IPhones Through New Exploit Kit - The News Chronicle
Google Warns of Cyber-Attack Tool Targeting Older iPhone Operating Systems
In a recent warning, security researchers from Google have identified a cyber-attack tool called "Coruna" that targets older versions of Apple's iPhone operating system. This malicious tool is engineered to steal cryptocurrency wallet information and is capable of compromising iPhones running iOS versions 13.0 to 17.2.1, released between 2019 and 2023. The discovery was published in a comprehensive report by Google's Threat Intelligence Group (GTIG) in March 2026.
Unveiling the Coruna Exploit Kit
The Coruna exploit kit is a sophisticated piece of software comprising five complete iOS exploit chains and 23 individual vulnerabilities. Alarmingly, some of these vulnerabilities were hitherto unknown to the public. This exploit is primarily delivered via deceptive cryptocurrency websites which, when accessed on a vulnerable iPhone, can execute hidden code to deploy customized attacks intending to extract sensitive financial information.
Targeting Cryptocurrency and Financial Data
Once the malicious tool is active, it specifically searches for cryptocurrency wallet seed phrases and scans messages for keywords linked to financial accounts like "backup phrase" or "bank account." Moreover, it can target specific data associated with popular crypto applications such as MetaMask and Uniswap, which are integral to crypto traders and investors globally.
Tracing the Origins of the Exploit Kit
Google's team initially discovered Coruna in February 2025 during investigations into a surveillance vendor's activities aimed at mobile device compromise. Continuation of this malicious activity was observed later in 2025 with compromises of Ukrainian websites, strategically targeting iPhone users based on geographical location.
The Global Spread and Alleged Cybercriminal Connections
By the end of 2025, the syndicate behind Coruna had broadened its scope, embedding the exploit within numerous counterfeit finance-related websites, suspected to be tied to Chinese cybercriminal enterprises. Intriguingly, some of these fake platforms mimicked legitimate cryptocurrency trading sites, enticing unsuspecting users into opening them on their phones, thereby initiating the malicious exploit.
Uncertainties and Security Recommendations
While the exact mechanism behind the exploit kit's proliferation remains ambiguous, it is speculated that there exists a thriving black market for previously developed hacking tools. Security company iVerify's co-founder, Rocky Cole, noted the exploit's sophistication, suggesting significant resources were invested in its development, akin to other modules linked to state-sponsored hacking activities. However, Kaspersky researchers have not found definitive technical evidence connecting the exploit kit to government-created cyber tools.
Safeguarding Against Cyber Threats
Importantly, Google emphasizes that devices running the latest versions of Apple’s operating system remain unaffected by Coruna. The tech giant urges all iPhone users to promptly update their devices to the current iOS version to mitigate risk. Additionally, for users at heightened risk of cyber threats, activating Apple's Lockdown Mode—a feature designed to limit potential vulnerabilities—comes highly recommended.
A Wake-Up Call for Global Users
Google's warning of the Coruna exploit kit should resonate globally, particularly in regions with a high prevalence of cryptocurrency adoption, such as Nigeria. These areas often witness criminals leveraging fraudulent investment platforms or phishing websites to extract cryptocurrency wallet credentials from victims, expanding the potential impact of such advanced cyber threats.
