Cybercriminals Now Using Government iPhone Hacking Tools
▼ Summary
– A powerful iPhone hacking tool called Coruna, originally used by a government, has leaked and is now being used by cybercriminals and Russian spies.
– Google discovered the exploit kit, which can hack iPhones through a malicious website by chaining together 23 vulnerabilities in older iOS versions.
– Security firm iVerify linked the Coruna kit to the U.S. government based on similarities to previously known U.S. hacking tools.
– The leak illustrates a dangerous market for “secondhand” government exploits, which are sold and reused by financially motivated hackers.
– This follows a pattern where leaked government tools, like the NSA’s EternalBlue, are later weaponized in major cyberattacks.
A significant and concerning shift is occurring in the digital underworld, as sophisticated government-grade iPhone hacking tools are now being deployed by cybercriminals. Security experts have uncovered a powerful exploit framework, known as Coruna, that has transitioned from a state-sponsored surveillance operation into the arsenals of financially motivated hackers and foreign espionage groups. This development highlights a dangerous new market for “secondhand” exploits and underscores the inevitable risks when advanced cyber weapons are developed, regardless of their original intent.
Google’s Threat Analysis Group first spotted the Coruna kit in early 2025 during a government vendor’s targeted spyware operation. Months later, the same tools were identified in a widespread campaign by a Russian intelligence group targeting users in Ukraine. Perhaps most alarmingly, investigators later found the identical exploit framework being used by a hacker in China whose motives were purely financial. The path of this leak remains unclear, but it demonstrates a troubling proliferation chain from state actors to criminal enterprises.
The mobile security firm iVerify obtained and analyzed the hacking tools, linking them to the U.S. government based on technical similarities to previously attributed American cyber frameworks. In a stark warning, the company stated, “The more widespread the use, the more certain a leak will occur.” They emphasized that while the origin is notable, the critical takeaway is that such powerful tools will inevitably escape controlled environments and be weaponized by malicious actors without restraint.
The technical capabilities of the Coruna kit are formidable. It operates as a “watering hole” attack, meaning an iPhone can be compromised simply by its user visiting a malicious website containing the exploit code, often delivered via a deceptive link. The kit leverages a chain of 23 separate vulnerabilities, providing five distinct methods to breach device security. iPhones running iOS versions from 13 up to 17.2.1, released in December 2023, are vulnerable to these attacks.
This incident is not without precedent in the world of cyber weapons. A famous example occurred in 2017 when hacking tools developed by the U.S. National Security Agency were stolen and later published. One of those tools, EternalBlue, was subsequently used by cybercriminals in global attacks, including the devastating WannaCry ransomware outbreak linked to North Korea. More recently, a former executive from a U.S. defense contractor was sentenced to prison for stealing and selling eight powerful software exploits to brokers, including one known to work with the Russian government.
The emergence of Coruna in criminal hands signals a blurring of lines between espionage and cybercrime. It serves as a potent reminder that vulnerabilities and the tools built to exploit them represent a persistent threat. Once these digital weapons are created, controlling their spread becomes nearly impossible, creating enduring security challenges for individuals, companies, and governments worldwide. The cycle of creation, leakage, and criminal adaptation appears to be an entrenched and growing facet of modern cybersecurity.
(Source: TechCrunch)
