Security researchers have identified a powerful suite of hacking tools capable of compromising iPhones running older software. According to their findings, this toolset has passed from a government customer into the hands of cybercriminals.
Google stated that it first identified the exploit kit, dubbed Coruna, in February 2025. It was detected during a surveillance vendor’s attempt to hack into an individual’s phone with spyware on behalf of a government client. Months later, Google found the same exploit kit targeting Ukrainian users in a broad campaign by a Russian espionage group. Later still, it was discovered being used by a financially motivated hacker in China.
The exact method of the tools’ leak or proliferation is unclear. However, Google security researchers warn of an emerging market for “secondhand” exploits. These are sold to hackers motivated by money to extract further value from the vulnerabilities. This discovery illustrates how exploits and backdoors designed for government use can leak and ultimately be abused by cybercriminals or other non-state actors.
Mobile security company iVerify obtained and reverse-engineered the hacking tools. The company linked the Coruna exploit kit to the U.S. government, based on similarities to hacking tools previously attributed to the United States. iVerify noted that the more widespread the use of such tools, the more certain a leak becomes. They emphasized that while evidence points to a leaked U.S. government framework, the critical takeaway is that these tools will find their way into the wild and be used unscrupulously by bad actors.
Google described the hacking tools as particularly powerful because they can bypass an iPhone’s defenses simply by having the user visit a malicious website containing the exploit code. This is often achieved by sending a malicious link in what is known as a “watering hole” attack. The Coruna kit can hack into an iPhone five separate ways by chaining together 23 distinct vulnerabilities. Affected devices include iPhone models running iOS versions 13 up to 17.2.1, which was released in December 2023.
Reports indicate the Coruna kit contains components previously used in a hacking campaign called Operation Triangulation. In 2023, Russian cybersecurity firm Kaspersky claimed the U.S. government attempted to hack several iPhones belonging to its employees.
While leaks of hacking tools are rare, they are not unprecedented. In 2017, the U.S. National Security Agency discovered that tools it developed to hack Windows computers worldwide had been stolen. The Windows backdoor, known as EternalBlue, was later published and used by cybercriminals in subsequent attacks, including the 2017 WannaCry ransomware attack linked to North Korea.
In a related case, Peter Williams, the former head of U.S. defense contractor L3Harris Trenchant, was sentenced to more than seven years in prison. He pleaded guilty to stealing and selling eight software exploits to a broker known to work with the Russian government. Prosecutors stated Williams sold exploits capable of hacking into millions of computers and devices worldwide. At least one exploit was sold to a South Korean broker. It remains unclear if these exploits were ever disclosed to the software makers or patched.