US Government iPhone Hacking Tool Compromises Thousands of Devices Worldwide
Amsterdam, Wednesday, 4 March 2026.
A sophisticated iPhone hacking toolkit called Coruna, originally developed for US government operations, has leaked to foreign intelligence agencies and cybercriminals, compromising an estimated 42,000 devices globally. The toolkit exploits 23 iOS vulnerabilities across five attack chains, targeting iPhones running iOS 13 through 17.2.1 through malicious websites. Evidence suggests the tool was repurposed by Russian operatives targeting Ukrainian websites and Chinese criminal groups stealing cryptocurrency. Security experts warn this represents the first confirmed case of US government cyber weapons spinning out of control into adversary hands.
Discovery and Technical Analysis
Google’s Threat Intelligence Group first identified the Coruna exploit kit on Tuesday, March 3, 2026, following independent analysis by cybersecurity firm iVerify [1]. The toolkit employs five distinct hacking techniques to bypass iPhone defenses and install malware when users visit infected websites [1]. Components of Coruna were initially spotted in February 2025 when used by a customer of a surveillance company, with a more complete version appearing five months later in July 2025 during a suspected Russian espionage campaign targeting Ukrainian websites [1]. The exploit kit targets WebKit vulnerabilities across iOS versions 13 through 17.2.1, though Apple has since patched these vulnerabilities in iOS 26 [4]. iVerify researchers conducted their own technical analysis approximately two weeks prior to March 2, 2026, discovering the domain mxbc-v2[.]tjbjdod[.]cn hosting exploits, which they internally named “CryptoWaters” [2].
Scale of Compromise and Attack Methods
The scale of the Coruna operation extends far beyond traditional targeted surveillance, with iVerify estimating that roughly 42,000 devices may have been compromised in the for-profit campaign alone [1][4]. The exploit chains consist of Remote Code Execution vulnerabilities in Safari combined with Local Privilege Escalation exploits, designed to infect any vulnerable iOS version without specific targeting - a characteristic more typical of cybercriminal groups than nation-states [2]. Once installed, the malware injects into multiple processes including locationd, imagent, and WhatsApp, creating threads and dispatch queues named “plasma_supervisor” or “com.plasma.heartbeat.callback” [2]. The SpringBoard component communicates with the locationd implant, which downloads modules, orchestrates operations, and inspects photos and notes stored on infected devices [2]. The toolkit uses various User Agents for different processes, including a static Safari User Agent: “Mozilla/5.0 (iPhone; CPU iPhone OS 16_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Mobile/15E148 Safari/604.1” [2].
Government Origins and Criminal Repurposing
Multiple indicators point to Coruna’s origins as a US government-developed tool that subsequently leaked to adversaries and criminal organizations. Rocky Cole, co-founder of iVerify, states: “It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government…This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups” [1]. The toolkit contains components previously used in “Triangulation,” a hacking operation that targeted Kaspersky in 2023 [1]. Beyond espionage applications, Coruna has been repurposed for profit-focused campaigns, particularly targeting Chinese-language cryptocurrency and gambling sites to steal cryptocurrency [1]. Spencer Parker, iVerify’s chief product officer, emphasized the professional quality of the code, stating: “My God, these things are very professionally written” [1][4].
Market Dynamics and Security Implications
The leak of Coruna illustrates the unscrupulous nature of the zero-day exploit market and its potential for dual-use applications. Cole explains the market dynamics: “These zero-day and exploit brokers tend to be unscrupulous… They sell to the highest bidder and they double dip. Many don’t have exclusivity arrangements. That’s very likely what happened here” [1][4]. The case parallels the February 2026 sentencing of Peter Williams, an executive of US government contractor Trenchant, who received seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025 [1]. Trenchant had previously sold hacking tools to the US intelligence community and the “Five Eyes” group, comprising the United States, United Kingdom, Australia, Canada, and New Zealand [1]. Cole warns that “One of these tools ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay… The genie is out of the bottle” [1]. The framework’s coherent structure suggests creation by a single author rather than being pieced together from disparate components, with Cole noting: “The framework holds together very well… It looks like it was written as a whole. It doesn’t look like it was pieced together” [1].