Google’s Threat Intelligence Group (GTIG) warns that a “new and powerful” exploit kit for iOS, called Coruna by its developers has been deployed on fake financial and crypto websites designed to lure iPhone users to visit pages that can silently deliver exploits. For crypto holders, the risk is not hidden: GTIG’s analysis shows campaigns that ultimately focus on harvesting seed phrases and wallet data from popular mobile apps.
Coruna targets Apple devices running iOS 13.0 through iOS 17.2.1, which includes five full exploit chains and 23 exploits. GTIG claims to have discovered the kit after tracking its evolution in 2025, from early use by a commercial surveillance company client, to “watering hole” attacks on vulnerable Ukrainian websites, and finally to widespread distribution via Chinese-language scam sites tied to a financial interest actor going after him as UNC6691.
Crypto Lure Built for iPhones
In the scam-wave section, GTIG says it has seen the JavaScript framework behind Coruna distributed on a “large set” of fake Chinese websites with financial topics. One example cited by GTIG is a fake WEEX crypto exchange page that tried to push visitors to an iOS device—after which a hidden iFrame would be injected to deliver the exploit kit “regardless of location.”
Related Reading
Delivery mechanisms are important because they blur the line between phishing and direct compromise of the device: in GTIG’s telling, just getting to a booby-trapped page from a vulnerable iPhone is enough to start the chain. The framework fingerprints the device to identify the iOS model and version, then loads the appropriate WebKit remote code implementation and passes the authentication pointer (PAC).
GTIG tied WebKit’s one RCE and found it to CVE-2024-23222, noting that it was addressed by Apple in iOS 17.3 on Jan. 22, 2024.
At the end of the series, GTIG says Coruna drops a platform it calls PlasmaLoader (followed as PLASMAGRID) and describes it as focusing less on traditional surveillance features and other financial information theft. According to GTIG, the paid amount can decode QR codes from images stored on the device and scan blobs of text using the BIP39 sequence of words, as well as keywords such as “backup phrase” and “bank account”, including Apple Memos, which it can extract.
Related Reading
The payload is also modular. GTIG claims that it can pull down and run additional modules remotely, and that many of the identified modules are designed to integrate functions and extract sensitive information from common crypto wallet systems—among them MetaMask, Trust Wallet, Uniswap wallet, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper.
The wide arc was also flagged by mobile security firm iVerify, which published its findings at the same time as the GTIG report. “That’s exactly what’s happening here, but for mobile devices. The phone OEMs are doing as good a job as anyone…”
What Crypto Users Can Do Now
Google says Coruna is “not compatible with the latest version of iOS,” and urges users to update. If the update doesn’t work, GTIG recommends enabling Apple Lock Mode. GTIG also says it has added the identified websites and domains to Google Safe Browsing to help reduce further exposure.
For crypto-native users, the takeover is immediate: mobile wallets sit at the intersection of high-value assets and high-frequency web traffic, making “visit-compromise” campaigns particularly dangerous. The GTIG report suggests that the scam funnel wasn’t just about victims connecting wallets, it was about installing them on the right device, on the right version of iOS, so the exploit could do the rest.
At the time of publication, the total crypto market stood at $2.45 trillion.
The featured image was created with DALL.E, a chart from TradingView.com
