A mass hacking campaign targeting iPhone users in Ukraine and China used tools that were likely designed by U.S. military contractor L3Harris. The tools, which were intended for Western spies, wound up in the hands of various hacking groups, including Russian government operatives and Chinese cybercriminals.
Last week, Google revealed that over the course of 2025, it discovered a sophisticated iPhone-hacking toolkit had been used in a series of global attacks. The toolkit, dubbed “Coruna” by its original developer, was made of 23 different components first used in highly targeted operations by an unnamed government customer of an unspecified surveillance vendor. It was then used by Russian government spies against a limited number of Ukrainians and finally by Chinese cybercriminals in broad-scale campaigns with the goal of stealing money and cryptocurrency.
Researchers at mobile cybersecurity company iVerify, which independently analyzed Coruna, said they believed it may have been originally built by a company that sold it to the U.S. government. Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company’s hacking and surveillance tech division, Trenchant. The two former employees both had knowledge of the company’s iPhone hacking tools and spoke on condition of anonymity.
One former employee familiar with the tools said that Coruna was definitely an internal name of a component and that many of the technical details published by Google were familiar. The former employee said the overarching Trenchant toolkit housed several different components, including Coruna and related exploits. Another former employee confirmed that some of the published details came from Trenchant.
L3Harris sells Trenchant’s hacking and surveillance tools exclusively to the U.S. government and its allies in the Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given Trenchant’s limited number of customers, it is possible that Coruna was originally acquired and used by one of these governments’ intelligence agencies before falling into unintended hands. An L3Harris spokesperson did not respond to a request for comment.
How Coruna went from the hands of a Five Eyes government contractor to a Russian government hacking group and then to a Chinese cybercrime gang is unclear. But some circumstances appear similar to the case of Peter Williams, a former general manager at Trenchant. From 2022 until he resigned in mid-2025, Williams sold eight company hacking tools to Operation Zero, a Russian company that offers millions of dollars for zero-day exploits.
Williams, a 39-year-old Australian citizen, was sentenced to seven years in prison last month after admitting to stealing and selling the eight Trenchant hacking tools to Operation Zero for $1.3 million. The U.S. government said Williams, who had full access to Trenchant’s networks, betrayed the United States and its allies. Prosecutors accused him of leaking tools that could have allowed access to millions of computers and devices around the world.
Operation Zero, which was sanctioned by the U.S. government last month, claims to work exclusively with the Russian government and local companies. The U.S. Treasury claimed the Russian broker sold Williams’ stolen tools to at least one unauthorized user. That would explain how the Russian espionage group identified as UNC6353 acquired Coruna and deployed it on compromised Ukrainian websites to hack specific iPhone visitors.
It is possible that once Operation Zero acquired Coruna and sold it to the Russian government, the broker then resold the toolkit to someone else, perhaps another broker or directly to cybercriminals. The Treasury alleged a member of the Trickbot ransomware gang worked with Operation Zero, tying the broker to financially motivated hackers. At that point, Coruna may have passed to other hands until it reached Chinese hackers.
Google researchers wrote that two specific Coruna exploits and underlying vulnerabilities, called Photon and Gallium, were used as zero-days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users. Operation Triangulation was first revealed by Kaspersky in 2023.
Rocky Cole, the co-founder of iVerify, said the best explanation based on what is known points to Trenchant and the U.S. government being the original developers and customers of Coruna. That assessment is based on three factors: the timeline lines up with Williams’ leaks; the structure of modules found in Coruna bear strong similarities with Triangulation; and Coruna reused some of the same exploits.
According to Google and iVerify, Coruna was designed to hack iPhone models running iOS 13 through 17.2.1, released between September 2019 and December 2023. Those dates line up with the timeline of Williams’ leaks and the discovery of Operation Triangulation. One former Trenchant employee said when Triangulation was first revealed, other employees believed that at least one of the zero-days were from the company.
Another clue pointing to Trenchant is the use of bird names for some of the 23 tools, such as Cassowary and Sparrow. In 2021, it was revealed that Azimuth, one of the two startups later acquired by L3Harris and merged into Trenchant, had sold a hacking tool called Condor to the FBI.
After Kaspersky published its research on Operation Triangulation, Russia’s Federal Security Service accused the NSA of hacking thousands of iPhones in Russia. A Kaspersky spokesperson said at the time that the company did not have information on the FSB’s claims.
Boris Larin, a security researcher at Kaspersky, said that despite extensive research, the company is unable to attribute Operation Triangulation to any known group or exploit development company. Larin explained that Google linked Coruna to Operation Triangulation because they both exploit the same two vulnerabilities. He said attribution cannot be based solely on that fact, as all details have long been publicly available.
Kaspersky never publicly accused the U.S. government of being behind Operation Triangulation. Curiously, the logo the company created for the campaign is reminiscent of the L3Harris logo. It may not be a coincidence. Kaspersky has previously signaled it knew who was behind a campaign without a public attribution, as it did with the Spanish-speaking group “Careto,” which was later revealed to be run by the Spanish government.
On Wednesday, cybersecurity journalist Patrick Gray said on his podcast that he thought, based on bits and pieces he was confident about, that what Williams leaked to Operation Zero was the hacking kit used in the Triangulation campaign. Apple, Google, and Operation Zero did not respond to requests for comment.