March 5 News: Google Threat Intelligence Group (GTIG) recently released a security report stating that researchers have discovered a new iPhone exploit toolkit called “Coruna,” used to steal cryptocurrency wallet mnemonics and financial information. The toolkit targets devices running iOS 13.0 to 17.2.1 and launches targeted attacks through multiple exploit chains, drawing significant attention in the mobile security field.
The report shows that “Coruna” contains five complete iOS exploit chains, involving a total of 23 security vulnerabilities, some of which have never been publicly disclosed before. Google researchers said they first identified related attack activity in February 2025 and found that the tool was initially suspected to be used by Russian espionage groups for cyberattacks against Ukrainian users. It was later used to impersonate financial and crypto-related websites to trick users into revealing information.
The attack mainly relies on malicious web pages delivering exploit code. When iPhone users visit specific sites, JavaScript frameworks on the pages perform device fingerprinting, verify the system version, and then load the corresponding exploit chain. Researchers found the same framework on multiple compromised Ukrainian websites and noted that the attack code was only sent to iPhones in certain regions.
In December 2025, the team further detected the same framework on numerous fake Chinese-language websites related to financial services, including counterfeit crypto platform pages. Once victims access these sites on iOS devices, the tools scan for sensitive information such as mnemonic phrases, backup words, or bank account details, and attempt to read data from common crypto wallet apps to gain control of digital assets.
Google states that this exploit toolkit currently cannot run on the latest iOS versions, and recommends iPhone users upgrade their systems promptly. If upgrading is not possible, users can enable Apple’s “Lockdown Mode” to defend against complex network attacks.
Meanwhile, discussions about the origin of “Coruna” have also sparked controversy. Rocky Cole, co-founder of mobile security firm iVerify, told media that the tool is highly complex, with development costs possibly reaching millions of dollars, and shares some modules similar to those used in U.S. government cyber tools. However, Kaspersky security experts said there is currently not enough evidence to directly link its code to any known tools.
Security experts warn that cryptocurrency users should be vigilant against phishing pages and update their devices promptly when using mobile wallets or visiting related websites to reduce the risk of mnemonic leaks and digital asset theft.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
FBI teams up with Indonesia to dismantle W3LL phishing network, with more than $20 million involved
The U.S. FBI and Indonesian police successfully cooperated to dismantle a W3LL phishing network, seizing related equipment and detaining suspects. The W3LL phishing toolkit offers low-priced fake login pages that use man-in-the-middle attacks to easily bypass multi-factor authentication, forming an organized cybercrime ecosystem. This operation marks cooperation between the U.S. and Indonesia in law enforcement against cybercrime; however, the security threats to cryptocurrency users remain severe.
MarketWhisper2h ago
Squads Emergency Alert: Address poisoning and forged multisig accounts; a whitelist mechanism will go live
Solana ecosystem multi-signature agreement Squads issued a warning, pointing out that attackers launched an address poisoning attack against users by using fake accounts to trick users into making unauthorized transfers. Squads confirmed that there was no loss of funds and emphasized that this is a social engineering attack rather than a protocol vulnerability. To respond, Squads has implemented protective measures such as a warning system, non-interactive account prompts, and a whitelist mechanism. This incident reflects the growing social engineering threats in the Solana ecosystem and has prompted ongoing security reviews.
MarketWhisper2h ago
South Korean “retaliation intermediary” agencies charged USDT to carry out violent crimes, and continued operating even after the main suspect was arrested
South Korea has recently seen multiple “revenge intermediary” organizations that use cryptocurrency as a payment method. They offer intimidation and murder services via Telegram. Even though the main culprit has been arrested, related advertisements are still being posted. Police are investigating more than 50 cases and have arrested about 30 people.
GateNews4h ago
Fake Ledger App on Apple’s App Store Drains Musician’s 5.9 BTC Retirement Fund
A fake Ledger app on Apple's App Store deceived musician Garrett Dutton into losing 5.9 BTC by entering his seed phrase. This case highlights ongoing wallet scams and the exploitation of trust, as the stolen bitcoin was laundered through KuCoin.
CryptoNewsFlash8h ago
A CEX Faces Extortion and Refuses to Back Down: Affects About 2,000 Accounts, Customer Funds Are Not at Risk
A certain cryptocurrency exchange was extorted by a criminal organization, which claimed it would release internal system access videos. The exchange confirmed it had not suffered a systemic breach, that customer funds are safe, and that due to improper conduct by customer service personnel, data from approximately 2,000 accounts was accessed. The exchange has revoked the relevant permissions and strengthened security controls. The company is working with law enforcement agencies to investigate.
GateNews12h ago
Solana cofounder toly: a base-layer stablecoin should be built that can only be frozen with authorization from the court
Solana co-founder toly noted that the industry needs a stablecoin that can only be frozen under a court order, opposing other freeze factors. He suggested that the protocol issue a stablecoin with custom freeze strategies on the base layer and strengthen security measures. This view stems from a recent response by Circle to the Drift protocol hack incident, sparking discussions about centralized stablecoins.
GateNews12h ago
