“Coruna” iPhone Hack Could Empty Crypto Wallets, Google Warns - Crypto Economy

TL;DR:

• Google’s Threat Intelligence Group warns “Coruna” targets older iPhones and can steal recovery phrases to drain crypto wallets before funds move.
• It chains five exploit paths and 23 flaws across iOS 13 to 17.2.1; malicious sites fingerprint devices via hidden JavaScript, then install spyware quietly.
• Controls are straightforward: update to the latest iOS, enable Lockdown Mode, use private browsing, avoid unknown crypto sites, and keep phrases offline.

Google’s Threat Intelligence Group is warning crypto users about “Coruna,” a sophisticated exploit kit that targets older iPhones and can steal wallet recovery phrases. Researchers say it aggressively scans devices running outdated Apple software and, once it finds a vulnerable target, can extract the sensitive data needed to restore wallets elsewhere. For anyone holding Bitcoin, Ethereum, or other assets on mobile, a single iOS lapse can become a full wallet loss. The practical implication for institutions and retail users is the same: endpoint hygiene now sits on the critical path for fund security today.

How Coruna turns iPhone weakness into wallet risk

Coruna combines five exploit chains and at least 23 vulnerabilities to compromise devices running iOS versions from 13 to 17.2.1. The attack typically starts when a user lands on a compromised website, where hidden JavaScript fingerprints the device model, software version, and security settings. If the target qualifies, Coruna weaponizes web visits into device takeover by chaining multiple stages that bypass built-in protections, escalate privileges, install spyware, and then pull sensitive information from the operating system with high reliability and minimal user-visible signals. It runs quietly, so victims rarely see warnings.


Researchers say the payload is optimized for crypto theft. The spyware hunts encrypted wallet files, login credentials, and mnemonic recovery phrases that can recreate a wallet on another device. Once those phrases are exposed, attackers can transfer funds immediately in minutes, often before victims notice. Distribution relies on “watering hole” tactics, where hackers compromise sites crypto users frequent, including fake trading platforms and phishing pages. In effect, recovery phrases are the attacker’s fastest cash-out, turning normal browsing into an account-drain event and forcing teams to rethink how and where they store secrets.

The report also notes possible nation-state echoes. iVerify found Coruna code that resembles tools believed to have originated from U.S. government cyber programs, but researchers think the toolkit leaked and is now used by criminals and intelligence actors from Russia and China. Defenses are concrete: it fails on the latest iOS, stops if Lockdown Mode is enabled, and does not work in private browsing mode. Private browsing adds extra friction. Operationally, patch discipline and offline secrets are the best control: update iOS, avoid unknown crypto sites, and keep recovery phrases off phones entirely.