Security researchers have uncovered a series of cyberattacks targeting Apple customers around the world. The tools used in these hacking campaigns have been named Coruna and DarkSword and have been used by both government spies and cybercriminals to steal data from people’s iPhones and iPads.
It’s rare to see widespread hacks targeting iPhone and iPad users. In the past decade, the only precedents have been attacks against Muslim Uyghurs Chinaand against the people within Hong Kong.
Now, some of these powerful hacking tools have leaked online, potentially putting hundreds of millions of iPhones and iPads running out-of-date software at risk of data theft.
We break down what we know and don’t know about these latest iPhone and iPad hacking threats and what you can do to stay protected.
What is Coruna and DarkSword?
Coruna and DarkSword are two sets of advanced hacking tools that each contain a series of exploits capable of breaking into iPhones and iPads and stealing a person’s data, such as their messages, browser data, location history, and cryptocurrencies.
Security researchers who discovered the toolkits say Coruna’s exploits can hack iPhones and iPads running iOS 13 through iOS 17.2.1, which was released in December 2023.
DarkSword, however, contains exploits capable of hacking iPhones and iPads with newer devices running iOS 18.4 and 18.7, released in September 2025, according to Google security researchers investigating the code.
But the threat from DarkSword is more immediate to the general public. Someone leaked part of DarkSword and posted it on the code-sharing site GitHub, making it easy for anyone to download the malicious code and launch their own attacks targeting Apple users running older versions of iOS.
How do Coruna and DarkSword work?
These types of attacks are by definition stealthy and dangerous, as they can trap anyone who visits a specific website that hosts the malicious code.
Contact us
Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
In some cases, victims can be compromised simply by visiting a legitimate website under the control of malicious hackers.
When victims are initially infected, Coruna and DarkSword exploit several vulnerabilities in iOS that allow hackers to essentially take complete control of the target’s device, allowing them to steal the individual’s personal data. The data is then uploaded to a web server run by the hackers.
At least some parts of the Coruna toolkit, as TechCrunch previously reported, were originally developed by Trenchant, a hacking and spyware unit within US defense contractor L3Harris that sells exploits to the US government and its top allies.
Kaspersky has also linked two exploits to the Coruna toolbox with Triangulation functiona sophisticated and possible government attack allegedly carried out against Russian iPhone users.
After Trenchant developed Coruna—somehow, it’s unclear how—those exploits found their way into the hands of Russian spies and Chinese cybercriminals, perhaps through one or more middlemen selling exploits on the underground market.
Coruna’s travels show again that powerful hacking tools, including those developed for the US under strict secrecy restrictions, can leak and proliferate out of control.
An example of this was in 2017 when an exploit developed by the US National Security Agency was leaked online that was capable of remotely hacking into Windows computers around the world. The same exploit was subsequently used in the devastating WannaCry ransomware attack, which hacked indiscriminately hundreds of thousands of computers around the world.
In the case of DarkSword, researchers observed attacks targeting users in China, Malaysia, Turkey, Saudi Arabia and Ukraine. It remains unclear who originally developed DarkSword, how it ended up in different hacking groups, or how the tools were leaked online.
It’s unclear who leaked and posted online on GitHub or why.
The hacking tools, seen by TechCrunch, are written in the web languages HTML and JavaScript, making them relatively easy to set up and self-host anywhere by anyone looking to launch malicious attacks. (TechCrunch is not affiliated with GitHub as the tools can be used in malicious attacks.) Researchers posting on X have already tested the leaked tools by hacking into their own Apple devices running vulnerable versions of the company’s software.
DarkSword is now “essentially plug-and-play,” as Justin Albrecht, principal researcher at mobile security firm Lookout, explained to TechCrunch.
GitHub told TechCrunch that it has not removed the leaked code, but will keep it for security research.
“GitHub’s Acceptable Use Policies prohibit the publication of content that directly supports illegal active attacks or malware campaigns that cause technical damage,” GitHub’s web security advisor Jesse Geraci told TechCrunch. “However, we do not prohibit the publication of source code that could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community.”
Is my iPhone or iPad vulnerable to DarkSword?
If you have an iPhone or iPad that is out of date, you should consider updating immediately.
Apple told TechCrunch that users running the latest versions of iOS 15 through iOS 26 are already protected.
According to iVerification: “We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all exploited vulnerabilities in these attack chains.”
According to Apple’s own statisticsnearly one in three iPhone and iPad users are still not running the latest iOS 26 software. This means there are potentially hundreds of millions of devices vulnerable to these hacking tools, since Apple advertises more than 2.5 billion active devices worldwide.
What if I can’t or don’t want to upgrade to iOS 26?
Apple also said that devices running Lockdown Mode, an additional security feature first introduced in iOS 16, also block these specific attacks.
Lockdown Mode is useful for journalists, dissidents, human rights activists, and anyone who believes they may be targeted for who they are or the work they do.
While Lockdown Mode isn’t perfect, there is no public evidence that hackers have so far been able to bypass its protections. (We’ve asked Apple if this claim still stands and will update if we hear back.) The lock feature was found to have prevented at least one attempt to install spyware on a human rights defender’s phone.
