A dangerous new threat is targeting iPhone owners worldwide as a powerful government grade spy tool has fallen into criminal hands. Security experts warn that the rogue software known as Coruna is now actively draining cryptocurrency wallets and stealing private data from thousands of unsuspecting victims through malicious websites. This marks a terrifying shift where military tools are now being used for common theft.
How the Hack Enters Your Phone
The Coruna framework is terrifying because it operates silently. Users do not need to download a shady app or open a weird email attachment to get infected. The attack targets WebKit which is the engine powering all browsers on the iPhone. This means simply visiting a compromised website can trigger the infection.
Hackers are embedding the malicious code into websites that look normal. The code exploits vulnerabilities in the browser software. Once the browser loads the page, the malware breaks out of its “sandbox” security cage. It then digs deeper into the phone system.
The attack uses a chain of five different exploits. It moves from the browser layer all the way down to the “kernel” or the core of the operating system. This gives the attackers “root” privileges. Having root access means the hackers essentially own the device and can control it better than the actual owner.
Cybersecurity firms like Google Threat Intelligence and iVerify have analyzed the code. They report that it bypasses modern Apple security protections. The complexity of the code suggests it was built by top-tier engineers, not average internet scammers.
iPhone screen displaying malicious code and cryptocurrency wallet lock icon
Thousands of Devices Already Compromised
The scale of this attack is growing rapidly. Security researchers have already identified over 40,000 devices infected in a single campaign. This specific wave of attacks focused on users visiting Chinese language gambling and cryptocurrency websites.
Once the Coruna spyware settles inside an iPhone, it immediately starts hunting for value. It is not just looking for passwords. It actively scans for:
- Cryptocurrency wallet private keys
- Login details for crypto exchanges
- Personal photos and videos
- Email archives and contact lists
The primary goal of this new wave is financial theft rather than political espionage.
This shift in tactics is alarming to privacy advocates. In the past, tools like this were used sparingly against high value targets like diplomats or journalists. Now, the net is cast wide. Criminals are using a “spray and pray” method. They infect as many phones as possible to drain whatever digital assets they can find.
From Spy Operations to Common Theft
The journey of Coruna reveals a dark reality about the cyber arms market. The framework was not originally built for thieves. Researchers first spotted pieces of this code in early 2025 during a sophisticated surveillance operation. It was likely used by a government customer of a private spyware vendor.
Later in 2025, the code surfaced again. It was used in a suspected intelligence campaign targeting Ukrainian assets. In that instance, the malware was hidden inside a visitor counting widget on websites. It was a stealthy, targeted tool.
Now, in 2026, the tool has leaked into the broader criminal underground. This phenomenon is becoming dangerously common. Experts compare this to the leak of “EternalBlue” years ago. That was a military grade tool that was eventually used by criminals to launch the massive WannaCry ransomware attack.
The table below outlines the rapid descent of this tool from spycraft to crime:
| Timeline | Usage Type | Primary Target |
|---|---|---|
| Early 2025 | Surveillance | High-value individuals |
| Late 2025 | Cyber Espionage | Ukrainian websites |
| March 2026 | Financial Crime | Crypto wallets & gambling sites |
The malware added on top of the sophisticated Coruna framework is actually quite simple. This suggests that the criminals using it did not build the exploit themselves. They likely bought it or found it on the black market.
Steps to Protect Your Digital Life
The most critical factor in this infection is the software version. Users running older versions of iOS are the most vulnerable to Coruna attacks. Apple has patched the specific vulnerabilities used by this framework in their most recent updates.
Many users delay updates because of storage space or habit. This delay is exactly what the attackers are counting on. The exploits rely on known holes in the security walls of older systems.
Here are the urgent steps every iPhone user should take immediately:
- Update Immediately: Go to Settings and install the latest iOS version available for your device.
- Reboot Weekly: Restarting your phone can sometimes disrupt non-persistent malware chains.
- Check URLs: Be extremely cautious when visiting lesser known crypto or gambling sites.
- Lockdown Mode: If you feel you are a high risk target, enable Apple’s Lockdown Mode for extra protection.
Security experts warn that while the current holes are patched, the techniques inside Coruna will evolve. The attackers have shown they can adapt military tools for mass robbery. Staying ahead of them requires constant vigilance.
The era of government grade weapons being used for muggings in the digital world has arrived.
This situation serves as a harsh reminder of our digital fragility. We carry our entire lives and life savings in our pockets. When tools designed for spies turn against the public, the consequences are devastating. It is vital to stay informed and keep our defenses up.
What are your thoughts on military spyware leaking to common criminals? Do you think tech companies are doing enough to stop this? Share your opinion in the comments below or join the conversation on social media using #CorunaLeak.
