A mass hacking campaign targeting iPhone users in Ukraine and China used tools likely designed by US military contractor L3Harris, according to TechCrunch. The tools, which were intended for Western spies, ended up in the hands of various hacking groups, including Russian government terrorists and Chinese cybercriminals.
Last week, Google revealed that during 2025 it discovered that a sophisticated iPhone hacking toolkit had been used in a series of global attacks. The toolkit, named “Coruna” by its original developer, was constructed from 23 different components that were first used “in highly targeted operations” by an unnamed government customer of an unspecified “surveillance vendor.” It was then used by Russian government spies against a limited number of Ukrainians, and finally by Chinese cybercriminals in “wide-scale” campaigns to steal money and cryptocurrencies.
Researchers at mobile phone company iVerify, which independently analyzed Coruñasaid they believed it may have been originally manufactured by a company that sold it to the US government.
Two former employees of government contractor L3Harris told TechCrunch that Coruna was developed, at least in part, by the company’s hacking and surveillance technology division, Trenchant. The two former employees both had knowledge of the company’s iPhone hacking tools. Both spoke on condition of anonymity because they were not authorized to talk about their work for the company.
“Coruna was definitely an inside name of a component,” said a former L3Harris employee who was familiar with iPhone hacking tools as part of his work at Trenchant.
“Looking at the technical details,” this person said, referring to some of the data released by Google, “so much is known.”
Contact us
Do you have more information about Coruna or other government hacking and spyware tools? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
The former employee said the general Trenchant toolbox was home to many different elements, including Coruna and related holdings. Another former employee confirmed that some of the details included in the published hacking toolkit came from Trenchant.
L3Harris sells Trenchant’s hacking and surveillance tools exclusively to the US government and its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand and the United Kingdom. Given Trenchant’s limited number of clients, it is possible that Coruna was originally acquired and used by one of those governments’ intelligence agencies before falling into unwitting hands, although it is unclear how much of the published Coruna hacking toolkit was developed by L3Harris Trenchant.
A representative for L3Harris did not respond to a request for comment.
How Coruna went from the hands of a Five Eyes government contractor to a Russian government hacking group and then to a Chinese cybercrime gang is unclear.
But some of the circumstances seem similar to the case of Peter Williams, Trenchant’s former managing director. From 2022 until his resignation in mid-2025, Williams sold eight corporate hacking tools to Operation Zero, a Russian company that offers millions of dollars in exchange for zero-day exploits, that is, vulnerabilities unknown to the affected vendor.
Williams, a 39-year-old Australian citizen, was sentenced to seven years in prison last month after he admitted stealing and selling Trenchant’s eight hacking tools to Operation Zero for $1.3 million.
The US government said Williams, who took advantage of “full access” to Trenchant’s networks, “betrayed” the United States and its allies. Prosecutors accused him of leaking tools that could allow anyone using them to “potentially access millions of computers and devices around the world,” suggesting the tools are based on vulnerabilities affecting widely used software such as iOS.
Operation Zero, which was sanctioned by the US government last month, claims to be working exclusively with the Russian government and local companies. The US Treasury Department alleged that the Russian broker sold Williams’ “stolen tools” to at least one unauthorized user.
This would explain how the Russian espionage group, which Google has identified only as UNC6353, obtained Coruna and deployed it on hacked Ukrainian websites to hack certain iPhone users from a specific geographic location who were unwittingly visiting the malicious website.
It is possible that once Operation Zero acquired Coruna and possibly sold it to the Russian government, the broker then resold the toolkit to someone else, perhaps another broker, in another country, or even directly to cybercriminals. The Treasury Department alleged that a member of the Trickbot ransomware gang worked with Operation Zero, linking the broker to financially motivated hackers.
At that point, Coruna might have changed hands until it reached Chinese hackers. According to US prosecutors, Williams identified the code he wrote and sold to Operation Zero and was later used by a South Korean broker.
Triangulation function
Google researchers wrote on Tuesday that two specific Coruna exploits and underlying vulnerabilities, named Photon and Gallium by their original developers, were used as zero-days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users. Operation Triangulation was first disclosed by Kaspersky in 2023.
Rocky Cole, the co-founder of iVerify, told TechCrunch that “the best explanation based on what is known right now” points to Trenchant and the US government being the original developers and customers of Coruna. Although, Cole added, he doesn’t claim that “definitively.”
That assessment, he said, is based on three factors. The timing of Coruna’s use aligns with Williams’ leaks, the structure of three units — Plasma, Photon and Gallium — found in Coruna bear strong similarities to Triangulation, and Coruna reused some of the same exploits used in that operation, he said.
According to Cole, “people close to the defense community” claim that Plasma was used in Operation Triangulation, “although there is no public evidence of this.” (Cole previously worked for the US National Security Agency.)
According to Google and iVerify, Coruna was designed to hack iPhone models running iOS 13 to 17.2.1, released between September 2019 and December 2023. These dates are consistent with the timing of some of Williams’ leaks and the Operation Triangulation discovery.
One of Trenchant’s former employees told TechCrunch that when Triangulation was first revealed in 2023, other employees at the company believed that at least one of the zero-days that Kaspersky caught “was from us and was potentially ‘excluded’ from” the overall project involving Coruna.
Another toast showing Trenchant — as noted by security researcher Costin Raiu — is the use of bird names for some of the 23 tools, including Cassowary, Terrorbird, Bluebird, Jacurutu and Sparrow. In 2021, the Washington Post revealed that azimuth, one of the two startups later acquired by L3Harris and merged into Trenchanthad sold a hacking tool called Condor to the FBI in San Bernardino’s famous iPhone breaking case.
After Kaspersky published its investigation into Operation Triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, particularly targeting diplomats. A Kaspersky spokesman said at the time that the company had no information about the FSB’s allegations. The spokesman noted that the “indicators of compromise” – meaning evidence of an intrusion – detected by the Russian National Coordination Center for Computer Incidents (NCCCI) were the same as those detected by Kaspersky.
Boris Larin, a security researcher at Kaspersky, told TechCrunch in an email that “despite our extensive investigation, we are unable to attribute Operation Triangulation to any known [Advanced Persistent Threat] group development or holding company’.
Larin explained that Google linked Coruna to Operation Triangulation because they both exploit the same two vulnerabilities – Photon and Gallium.
“The performance cannot be based solely on the fact that these vulnerabilities were exploited. All the details of both vulnerabilities have long been publicly available,” he said, adding that these two shared vulnerabilities “are just the tip of the iceberg.”
Kaspersky has never publicly accused the US government of being behind Operation Triangulation. Interestingly, the logo created by the company for the campaign is an apple logo consisting of many triangles — reminds the L3Harris logo. It may not be a coincidence. Kaspersky had previously said it would not publicly attribute a hacking campaign, tacitly signaling that it actually knew who was behind it or who provided the tools for it.
In 2014, Kaspersky was announced that he had captured a sophisticated and elusive government hacking group known as “Careto” (Spanish for “The Mask”). The company said only that the hackers spoke Spanish. But the depiction of a mask the company used in its exhibition included the red and yellow colors of the Spanish flag, the bull’s horns and nose ring, and castanets.
As TechCrunch revealed last year, Kaspersky researchers had privately concluded that there was “no doubt,” as one of them put it, that Careto was run by the Spanish government.
On Wednesday, cybersecurity reporter Patrick Gray he said on an episode of the Risky Business podcast that he thought – based on the “bits and pieces” he was sure of – that what Williams leaked to Operation Zero was the hacking kit used in the Triangulation campaign.
Apple, Google, Kaspersky and Operation Zero did not respond to requests for comment.
