A newly discovered iPhone vulnerability is raising alarms across the crypto community. Security researchers say a sophisticated exploit kit called Coruna is targeting older iPhones and could potentially steal sensitive crypto wallet data, including recovery phrases.
The warning comes from the Google Threat Intelligence Group, which revealed that the exploit aggressively scans devices running outdated versions of Apple’s mobile software.
How the Coruna Attack Works
Coruna is not a simple malware attack. Researchers say it combines five full exploit chains and at least 23 vulnerabilities to break into devices running versions between iOS 13 and iOS 17.2.1.
The attack usually begins when a user visits a compromised or malicious website. Hidden JavaScript on the site silently scans the visitor’s device to identify the model, operating system version, and security settings.
Once a vulnerable device is detected, Coruna launches a multi-stage exploit chain that bypasses Apple’s built-in security protections. The malware then escalates system privileges, allowing attackers to install spyware and extract sensitive information from the device.
Why Crypto Wallets Are the Main Target
According to researchers, the malware is designed to hunt for encrypted wallet files, login credentials, and mnemonic recovery phrases used to restore crypto wallets.
If attackers gain access to those recovery phrases, they can instantly restore the wallet on another device and transfer the funds. This means victims could lose their entire holdings of assets like Bitcoin and Ethereum without realizing it until the transactions are complete.
Investigators say Coruna spreads through “watering hole” attacks, where hackers compromise websites frequently visited by crypto users, including fake trading platforms and phishing sites.
Possible Nation-State Links
Security firm iVerify found that parts of Coruna’s code resemble tools believed to have originated from U.S. government cyber programs.
However, researchers believe the toolkit may have leaked and is now being used by cybercriminal groups and intelligence actors from countries like Russia and China.
This could mark the first large-scale mobile exploit campaign using tools derived from nation-state cyber capabilities.
How to Protect Your Crypto
The good news is that the attack has clear limitations. Coruna fails to operate on devices running the latest iOS versions. It also stops if Apple’s Lockdown Mode is enabled and does not work in private browsing mode.
Security experts say users should take a few critical precautions:
- Keep your iPhone updated to the latest