Google researchers have published a technical analysis of a malicious exploit kit called Coruna, designed to steal data from cryptocurrency wallets on iOS devices. According to the Google Threat Intelligence team, the kit has been used in targeted attacks and is capable of bypassing key layers of iPhone security.
Coruna targets popular mobile wallets including MetaMask, Phantom Wallet, and Trust Wallet. It intercepts data from the applications and extracts critical information that can later be used to restore access to users’ funds.
The exploits included in Coruna do not work on iOS 18 or newer versions. They are also blocked when Lockdown Mode is enabled or when using Safari in Private Browsing mode. Google has already added the detected domains to its Safe Browsing system, allowing browsers to automatically block access to malicious pages.
Who Is Behind the Attacks
Google intercepted part of the kit in February 2025 through one of the clients of a commercial spyware vendor. In the summer of the same year, Coruna was used in watering hole attacks targeting Ukrainian websites. These operations are linked to the cluster UNC6353, which researchers in turn associate with Russian intelligence services.
By the end of 2025, the kit also began appearing in financial fraud campaigns. For example, it was used on fake Chinese websites, including a fake crypto exchange called WEEX. This activity is attributed to the group UNC6691, which focuses on direct financial profit.
What Users Should Do
iPhone users who work with cryptocurrencies are advised to update their devices to the latest version of iOS. If possible, they should enable Lockdown Mode and avoid suspicious crypto-related websites. Experts also recommend storing seed phrases offline rather than keeping them on the device.
Read also: