Security researchers have identified a series of powerful hacking tools capable of compromising iPhones running older software that they say passed from a government client into the hands of cybercriminals.
Google he said on Tuesday that it first spotted the exploit kit, dubbed Coruna, in February 2025 during a surveillance vendor’s attempt to hack someone’s phone with spyware on behalf of a government client. He found the same exploit kit months later targeting Ukrainian users in a large-scale campaign by a Russian espionage group, and then found it being used by a financially motivated hacker in China.
It’s unclear how the tools were leaked or proliferated, but Google security researchers have warned of an emerging market for “second-hand” exploits, which are sold to hackers motivated by money to extract more value from the exploit.
The discovery also shows how exploits and backdoors designed for use by governments can be leaked and ultimately abused by cybercriminals or other non-state actors. Mobile security firm iVerify has acquired and revamped its hacking tools, saying in a blog post that it linked the Coruna exploit kit to the US government, based on similarities to hacking tools previously attributed to the United States.
“The more widespread the use, the more likely there will be a leak,” iVerify said. “While iVerify has some evidence that this tool is a leaked US government framework, that should not overshadow the knowledge that these tools will find their way into the wild and be used ruthlessly by bad actors.”
Google said the hacking tools are powerful, as they can bypass an iPhone’s defenses simply by visiting a malicious website containing the exploit code — such as sending a malicious link — in what’s known as a “watering hole” attack. According to Google, the Coruna kit can hack into an iPhone in five different ways, relying on and connecting 23 separate vulnerabilities in its digital arsenal. Affected devices range from iPhone models running iOS 13 to 17.2.1, which was released in December 2023.
According to Wired, which first reported the newsthe Coruna kit contains elements previously used in a hacking campaign called Operation Triangulation. Russian cybersecurity firm Kaspersky claimed in 2023 that the US government tried to hack several iPhones belonging to its employees.
Techcrunch event
San Francisco, California
|
13-15 October 2026
While hack tool leaks are rare, they are not unheard of. In 2017, the US National Security Agency discovered that tools it had developed to hack into Windows computers around the world had been stolen. The Windows backdoor, known as EternalBlue, was later published and used by cybercriminals in subsequent attacks, including the 2017 WannaCry ransomware attack from North Korea.
TechCrunch also recently reported on the case of Peter Williams, the former head of US defense contractor L3Harris Trenchant, who was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight farms to a broker known to be working with the Russian government.
According to prosecutors, Williams sold exploits capable of hacking “millions of computers and devices” around the world. At least one exploit was sold to a South Korean broker. It is unclear whether the exploits were ever disclosed to the software makers or fixed.
