iPhone Users Cautioned: Cryptocurrency Scams Ignite ‘Coruna’ iOS Vulnerabilities

Last updated on by on Categories
Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.
Let's Try Now!

A concerning new menace is infiltrating the iPhone ecosystem: a sophisticated exploit kit dubbed Coruna is being disseminated through cryptocurrency-related scam websites, covertly invading devices and depleting digital wallets.

This article explores the exploit’s mechanics, its inception, and the necessary precautions for iPhone users in the United States.

A New Threat: Crypto Scams Ignite ‘Coruna’ iOS Exploits

Google’s Threat Intelligence Group (GTIG), in conjunction with cybersecurity firm iVerify, has identified Coruna, an exceptionally advanced iOS exploit kit that targets iPhones operating on iOS versions 13.0 through 17.2.1.

This toolkit exploits 23 unique vulnerabilities within five comprehensive exploit chains, allowing intruders to compromise devices merely by visiting a nefarious website—user interaction is not required.

First detected in February 2025 during an investigation by a commercial spyware provider, Coruna subsequently appeared in a Russian espionage initiative aimed at Ukrainian targets, ultimately being repurposed by Chinese cybercriminals to illicitly procure cryptocurrency from unsuspecting individuals.

Understanding Coruna’s Functionality

Exploit Delivery via Cryptocurrency Scam Sites

Coruna is predominantly delivered through watering-hole attacks—websites either compromised or fabricated, often impersonating cryptocurrency exchanges or financial platforms.

Upon an iPhone user visiting such a site, concealed JavaScript code fingerprints the device, identifies its model and iOS version, and activates the corresponding exploit chain.

Multi-Stage Exploitation

The exploit chains amalgamate WebKit remote code execution (RCE), sandbox circumventions, pointer authentication code (PAC) evasion, and kernel privilege escalation.

Notable vulnerabilities leveraged include CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, among several others.

Financial Payload: PlasmaLoader

Upon successful exploitation, it installs a loader known as PlasmaLoader (alternatively referred to as PLASMAGRID), which integrates into system processes.

This malware meticulously scans for cryptocurrency-related information—seed phrases, wallet backups, QR codes, and terminologies such as “backup phrase”—and exfiltrates this data to purloin digital assets.

Origins and Dissemination

From Government Instrument to Criminal Tool

Analysis by iVerify indicates that Coruna exhibits characteristics of a nation-state-grade toolkit, potentially developed for or by the U.S. government.

Extensive documentation in English and structural resemblances to established government frameworks lend credence to this hypothesis.

Upon its leak or sale, the toolkit was repurposed by diverse malicious entities:
February 2025: Utilized by a client of a surveillance vendor.
Summer 2025: Implemented in targeted operations by a Russian espionage group against Ukrainian users.
Late 2025: Adopted by Chinese financial cybercriminals to trick iPhone users via fraudulent cryptocurrency platforms.

Widespread Exploitation

This marks the first recognized mass iOS assault, transitioning from highly targeted spyware to expansive exploitation. iVerify estimates that tens of thousands of iPhones have already fallen victim to this threat.

Consequences for Stakeholders

iPhone Users

  • Crypto holders face significant risks: seed phrases and wallet data can be surreptitiously pilfered without user action.
  • Users with outdated iOS versions (13.0–17.2.1) remain particularly susceptible.
  • Devices engaged in Lockdown Mode or private browsing are immune, as Coruna recognizes and aborts operations in these scenarios.

Apple

  • The company rectified the exploited vulnerabilities in iOS 17.3, launched in January 2024.
  • Apple must prioritize rapid remediation of new vulnerabilities and user education regarding Lockdown Mode.

Cybersecurity Community

  • This incident highlights the dangers associated with the proliferation of exploits from governmental or commercial spyware to malicious actors.
  • It accentuates the pressing need for enhanced regulation and oversight within the spyware marketplace.

Mitigation and Recommendations

  • Update iOS immediately to version 17.3 or higher to close all vulnerabilities associated with Coruna.
  • Activate Lockdown Mode to entirely obstruct exploit execution.
  • Steer clear of dubious cryptocurrency or financial websites, particularly those requiring iPhone-specific access.
  • Utilize private browsing while navigating untrusted sites; Coruna refrains from executing in this mode.

Analysis and Future Outlook

Coruna signifies a perilous evolution in mobile threats: a state-grade exploit kit now weaponized for extensive financial theft.

Its trajectory—from surveillance apparatus to espionage weapon to criminal asset—exposes the vulnerability of exploit containment once such tools are disseminated.

Looking ahead:
– A potential increase in exploit kits being leaked or sold, amplifying the threat landscape.
– The urgency for regulatory frameworks, such as the Pall Mall Process, may intensify to mitigate the reckless trade of surveillance tools.
– Apple’s ongoing initiatives to fortify iOS, enhance Lockdown Mode, and educate users will be paramount.

The advent of Coruna serves as a stark reminder: iPhone users are being actively targeted through cryptocurrency scams that can trigger formidable, nation-state-level exploits. The threat is both real and extensive, driven by financial gain.

The ultimate defense lies in vigilance—maintain device updates, enable Lockdown Mode, and exercise caution around dubious cryptocurrency platforms. The stakes are considerable, yet with proactive strategies, users can remain a step ahead.

What is the Coruna exploit kit?

Coruna is a nuanced iOS exploit framework leveraging 23 vulnerabilities across five exploit chains to silently breach iPhones running iOS versions 13.0 to 17.2.1. It was identified by Google’s Threat Intelligence Group and iVerify.

A hand holds a device showing a terminal with Coruna iOS in front of a smartphone and server racks in a data center.

How do cryptocurrency scams instigate Coruna exploits?

Coruna is disseminated through compromised or fraudulent cryptocurrency and financial websites. When an iPhone user accesses such a site, hidden JavaScript fingerprints the device and initiates the corresponding exploit chain without any user interaction.

Which iOS versions are at risk?

iPhones operating on iOS versions from 13.0 to 17.2.1 are vulnerable. Apple addressed the exploited vulnerabilities in iOS 17.3, which was released in January 2024.

What measures can I take to safeguard my iPhone from Coruna?

  • Update to iOS 17.3 or newer.
  • Activate Lockdown Mode.
  • Engage in private browsing when visiting unfamiliar websites.
  • Exercise caution with suspicious cryptocurrency or financial websites.

Who is responsible for Coruna?

Coruna seems to have emerged from a commercial surveillance origin, potentially crafted for U.S. governmental use. It subsequently proliferated among Russian espionage entities and Chinese cybercriminals.

Source link: Tlt.ng.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

RS Web Solutions

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.
Share the Love
Related News Worth Reading
 
Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.
Let's Try Now!

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.

Trustpilot
Content Safety

HERO

rswebsols.com
Trustworthy

Approved by Sur.ly

Important Links
Free Tools
Categories
Popular Topics
Our Partners
Copyright © 2026 - RS Web Solutions (RSWEBSOLS) | All Rights Reserved. Image credit: Unsplash | Pixabay | Pexels | Freepik.