A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals

Google notes that Apple patched vulnerabilities utilized by Coruna successful the latest versions of its mobile operating system, iOS 26, truthful its exploitation techniques are lone confirmed to enactment against iOS 13 done 17.2.1. It targets vulnerabilities successful Apple's Webkit model for browsers, truthful Safari users connected those older versions of iOS would beryllium vulnerable, but there's nary confirmed techniques successful the toolkit for targeting Chrome users. Google besides notes that Coruna checks if an iOS devices has Apple's astir stringent information setting, known arsenic Lockdown Mode, enabled, and doesn’t effort to hack it if so.

Despite those limitations, iVerify says Coruna apt infected tens of thousands of phones. The institution consulted with a spouse that has entree to web postulation and counted visits to a command-and-control server for the cybercriminal mentation of Coruna infecting Chinese-language websites. The measurement of those connections suggest, iVerify says, that astir 42,000devices whitethorn person already been hacked with the toolkit successful the for-profit run alone.

Just however galore different victims Coruna whitethorn person hit, including Ukrainians who visited websites infected with the codification by the suspected Russian espionage operation, remains unclear. Google declined to remark beyond its published report. Apple did not instantly supply remark connected Google oregon iVerify's findings.

In iVerify's investigation of the cybercriminal mentation of Coruna—it didn't person entree to immoderate of the earlier versions—the institution recovered that the codification appeared to person been altered to works malware connected people devices designed to drain cryptocurrency from crypto wallets arsenic good arsenic bargain photos and, successful immoderate cases, emails. Those additions, however, were “poorly written” compared to the underlying Coruna toolkit, according to iVerify main merchandise serviceman Spencer Parker, which helium recovered to beryllium impressively polished and modular.

“My god, these things are precise professionally written,” Parker says of the exploits included successful Coruna, suggesting that the cruder malware was added by the cybercriminals who aboriginal obtained that code.

As for the clues that suggest Coruna's origins arsenic a US authorities toolkit, iVerify's Cole notes that it's imaginable that Coruna's codification overlap with the Operation Triangulation codification that Russia pinned connected US hackers could beryllium based connected Triangulation's components being picked up and repurposed aft they were discovered. But Cole argues that's unlikely. Many components of Coruna person ne'er been seen before, helium points out, and the full toolkit appears to person been created by a “single author,” arsenic helium puts it.

“The model holds unneurotic precise well,” says Cole, who antecedently worked astatine the NSA, but notes that he's been retired of the authorities for much than a decennary and isn't basing immoderate findings connected his ain outdated cognition of US hacking tools. “It looks similar it was written arsenic a whole. It doesn’t look similar it was pieced together.”

If Coruna is, successful fact, a US hacking toolkit gone rogue, conscionable however it got into overseas and transgression hands remains a mystery. But Cole points to the manufacture of brokers that whitethorn wage tens of millions of dollars for zero-day hacking techniques that they tin resell for espionage, cybercrime, oregon cyberwar. Notably, Peter Williams, an enforcement of US authorities contractor Trenchant, was sentenced this period to 7 years successful situation for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memo notes that Trenchant sold hacking tools to the US quality assemblage arsenic good arsenic others successful the “Five Eyes” radical of English-speaking governments—the US, UK, Australia, Canada and New Zealand—though it's not wide what circumstantial tools helium sold oregon what devices they targeted.

“These zero-day and exploit brokers thin to beryllium unscrupulous," says Cole. “They merchantability to the highest bidder and they treble dip. Many don’t person exclusivity arrangements. That’s precise apt what happened here.”

“One of these tools ended up successful the hands of a non-Western exploit broker, and they sold it to whoever was consenting to pay,” Cole concludes. “The genie is retired of the bottle.”