The common assumption among iPhone security experts has been that finding vulnerabilities and developing exploits for iOS was difficult. This process traditionally required significant time, resources, and teams of skilled researchers to break through its layers of security defenses. That meant iPhone spyware and zero-day vulnerabilities, which are not known to the software vendor before they are exploited, were considered rare. They were believed to be used only in limited and targeted attacks, as Apple itself states.
However, in the last month, cybersecurity researchers at Google, iVerify, and Lookout have documented several broad-scale hacking campaigns. These campaigns use tools known as Coruna and DarkSword, which have been near-indiscriminately targeting victims around the world who are not yet running Apple’s most up-to-date software. Some of the hackers behind these attacks include Russian spies and Chinese cybercriminals. They target victims via hacked websites or fake pages, allowing them to potentially steal phone data from a large number of people. Now, some of these tools have leaked online, allowing anyone to take the code and easily launch their own attacks against Apple users running older versions of iOS.
Apple has invested significant resources in new security and development technologies. This includes introducing memory-safe code for its latest iPhone models and launching features like Lockdown Mode specifically to counter potential spyware attacks. The goal has been to make modern iPhones more secure and to strengthen the claim that the iPhone is very hard to hack. But there are still a lot of older, out-of-date iPhones that are now easier targets for spyware-wielding spies and cybercriminals.
There are now essentially two security classes of iPhone users. Users on the latest iOS 26 running on the most recent iPhone 17 models released in 2025 have a new security feature called Memory Integrity Enforcement. This is designed to stop memory corruption bugs, some of the most commonly exploited flaws used in spyware and phone unlocking attacks. DarkSword relied heavily on memory corruption bugs, according to Google. Then, there are iPhone users who still run the previous version of Apple’s mobile software, iOS 18, or even older versions, which have been vulnerable to memory-based hacks and other exploits in the past.
The discovery of Coruna and DarkSword suggests that memory-based attacks could continue to plague users of older iPhones and iPads that lag behind the newer, more memory-safe models. Experts working for iVerify and Lookout, two cybersecurity companies that have a commercial stake in selling security products for mobile devices, say Coruna and DarkSword may also challenge the long-held assumption that iPhone hacks are rare.
iVerify’s co-founder Matthias Frielingsdorf told TechCrunch that mobile attacks are now widespread. He also said that attacks relying on zero-days against the most up-to-date software will always be charged at a premium rate, implying that these will not be used to hack people on a broad scale.
Patrick Wardle, an Apple security expert, said one problem is that people call attacks against iPhones rare or sophisticated just because they are seldom documented. But the reality, he said, is that these attacks may be out there but are not always caught. Calling them highly advanced is a bit like calling tanks or missiles advanced. It’s true, but it misses the point. That’s simply the baseline capability at that level, and all most nations have them or can acquire them for the right price.
Another problem highlighted by Coruna and DarkSword is that there is now an apparently thriving second-hand market. This creates the financial incentive for exploit developers and individual brokers to essentially get paid twice for the same exploit, according to Justin Albrecht, principal researcher at Lookout. Especially when the initial exploit gets patched, it makes sense for brokers to resell it before everyone updates. This isn’t a one-time event, but rather a sign of things to come.