Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
  • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Podcasts
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Podcasts
Follow US
© 2026 By Crypto Times. All Rights Reserved.
Market News

Your iPhone Could Be a Crypto Thief’s Target: Google Exposes ‘Coruna’ Exploit Kit

Google has exposed "Coruna," iPhone exploit framework that began life as nation-state surveillance software and has since been repurposed to silently drain cryptocurrency wallets at an unprecedented scale.

Written By Dhara Chavda Dhara Chavda
Fact Checked by Divya Mistry Divya Mistry
Published March 5, 2026 2:12 PM·Updated 4 months ago
Make The Crypto Times preferred on GoogleGoogle
Share
Your iPhone Could Be a Crypto Thief's Target Google Exposes 'Coruna' Exploit Kit

Key Highlights

  • The “Coruna” kit bundles 23 individual exploits into 5 full chains, targeting every iPhone and iPad running iOS 13.0 through iOS 17.2.1.
  • Updating to iOS 17.3 or later (current: iOS 26) renders Coruna entirely ineffective; enabling Lockdown Mode causes the malware to self-terminate on contact.

Google’s Threat Intelligence Group (GTIG) published what security researchers are already calling one of the most alarming mobile threat disclosures in years. The report detailed the inner workings of a fully operational iPhone exploit kit, internally dubbed “Coruna” and also tracked under the alias CryptoWaters—a name that hints at its ultimate purpose.

The kit is not novel in the technical sense; the iPhone exploit ecosystem is a well-documented, multi-billion-dollar underground market. What makes Coruna exceptional, and alarming, is its trajectory. A tool precision-engineered for covert government surveillance has been commoditized, repurposed, and is now being unleashed against ordinary cryptocurrency holders at a scale previously unseen in the mobile threat landscape.

The three faces of a roaming weapon

Google’s report traces a remarkable, almost cinematic chain of custody for the Coruna codebase. The same exploit framework appears to have passed through the hands of three distinct threat actors over the course of roughly 12 months—each with starkly different motivations.

The earliest documented use, in February 2025, was by a customer of an unnamed private surveillance vendor—a company operating in the same grey-market space as NSO Group, maker of the infamous Pegasus spyware. This phase was characterized by the narrow, high-value targeting typical of commercial spyware: politicians, journalists, and dissidents.

By the summer of 2025, however, GTIG detected the same exploit chains in a geopolitically charged context. The group designated UNC6353, assessed with moderate-to-high confidence to be Russian government-aligned, was using Coruna to target Ukrainian citizens and infrastructure personnel. The tool had moved from commerce to statecraft.

Then, in late 2025 and into early 2026, a Chinese-speaking financially motivated cybercrime group, tracked as UNC6691, acquired the kit and pivoted its targeting entirely. The goal was no longer surveillance. It was theft—specifically, the theft of Bitcoin and other digital assets from unsuspecting iPhone users.

The ‘watering hole’ infrastructure

UNC6691 deployed Coruna not through phishing emails or infected app downloads—vectors that most users have been trained to distrust—but through a more insidious technique known as a “watering hole” attack. Rather than chasing victims, the attackers poisoned the wells that victims habitually visit.

The group constructed convincing counterfeit versions of popular cryptocurrency exchanges and financial platforms. A documented example is a spoofed version of WEEX, a legitimate crypto trading platform. These fake sites are designed to be functionally indistinguishable from their real counterparts, often surfacing through search engine optimization or paid promotion channels.

When an iPhone user lands on one of these pages, a concealed iFrame executes a device fingerprinting routine. The script silently checks the iOS version. If the device is running iOS 17.2.1 or any earlier version—stretching all the way back to iOS 13.0 — the exploit chain fires automatically. No tap, no download, no interaction required. Some sites even displayed prompts actively encouraging users to switch to an iOS device for a “better experience,” funneling additional vulnerable targets toward the exploit.

Steps for iPhone users to protect themselves

The defensive picture, while sobering, is not without clear and actionable remedies. Google’s report and subsequent analysis by independent researchers point to four priority actions:

  1. Update iOS Immediately: Coruna is entirely ineffective against iOS 17.3 and later (current release: iOS 26). Any device updated within the past year is protected.
  2. Enable Lockdown Mode: Google confirmed that Coruna’s PlasmaLoader automatically self-terminates upon detecting Lockdown Mode is active. This is the single most effective real-time defense.
  3. Use a Hardware Wallet: Private keys stored on a hardware wallet (Ledger, Trezor) never touch the iOS environment. Even a fully compromised iPhone cannot access funds secured offline in this manner.
  4. Purge Sensitive Photos: PlasmaLoader scans photo galleries for wallet QR codes. Delete any images containing seed phrases, private keys, or wallet backup codes—or store them only on offline media.

Security researchers also note that Coruna skips execution when it detects the user is in a private or incognito browsing session—an apparent anti-forensics measure to reduce the digital footprint of the attack. While this is not a reliable or recommended primary defense, it is an interesting behavioral signature that may assist incident responders in attribution.

Also Read: India Digital Arrest Scam Routes ₹10.74 Cr via Crypto Exchanges

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News
Google News Banner

TAGGED:Crypto Scam
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

Demo Live
Prediction Market Fight May Reach Supreme Court CFTC Chair Selig
Prediction Market Fight May Reach Supreme Court: CFTC Chair Selig
Anchorage Bets Big on AI Economy With New Banking Model
Anchorage Bets Big on AI Economy With New Banking Model
Tapnob Rolls Out Crypto-to-Naira Payment Platform in Nigeria
Tapnob Rolls Out Crypto-to-Naira Payment Platform in Nigeria
Clarity Act on Fast Track Senator Moreno Sets July 4 Deadline
Clarity Act on Fast Track? Senator Moreno Sets July 4 Deadline

Find Us on Socials

You may also like

Crypto Market Today Utya, Dogs, LAB Top Gainers as Bitcoin Reclaims $81K

Crypto Market Today: Utya, Dogs, LAB Top Gainers as Bitcoin Reclaims $81K

Rep. Horsford Says Crypto Tax Bill Is Foundation as CLARITY Stalls

Rep. Horsford Says Crypto Tax Bill Is Foundation as CLARITY Stalls

Tether Freezes $38M USDT After $150M DSJ Ponzi Collapse ZachXBT

Tether Freezes $38M USDT After $150M DSJ Ponzi Collapse: ZachXBT

Just 0.1% of Polymarket accounts captured 67% of all profits WSJ

Just 0.1% of Polymarket accounts captured 67% of all profits: WSJ

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Podcasts

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information