Government-Developed iPhone Hacking Tools Now Exploited by Cybercriminals
Security researchers have uncovered a suite of sophisticated hacking tools, originally developed for government use, that are now being exploited by cybercriminals to compromise iPhones running older software versions. This toolkit, known as Coruna, was first identified by Google in February 2025 during an attempt by a surveillance vendor to infiltrate a target’s phone on behalf of a government client. Subsequent investigations revealed that Coruna was later utilized in widespread campaigns targeting Ukrainian users by a Russian espionage group and, more recently, by financially motivated hackers in China.
The exact means by which these tools have proliferated into the hands of cybercriminals remain unclear. However, Google’s security researchers have highlighted the emergence of a secondhand exploit market, where previously exclusive government tools are sold to financially motivated hackers seeking to maximize their utility. This trend underscores the potential for government-developed exploits and backdoors to leak and be misused by non-state actors.
Mobile security firm iVerify has reverse-engineered the Coruna toolkit and linked it to the U.S. government, citing similarities to hacking tools previously attributed to U.S. agencies. iVerify emphasized the inevitability of such tools leaking when their use becomes widespread, warning that they are likely to be exploited unscrupulously by malicious actors.
The Coruna toolkit is particularly potent, capable of bypassing an iPhone’s defenses through watering hole attacks. In these scenarios, victims are compromised simply by visiting a malicious website containing the exploit code. Coruna employs five distinct attack vectors, chaining together 23 separate vulnerabilities to infiltrate devices. Affected iPhone models include those running iOS versions from 13 up to 17.2.1, released in December 2023.
Notably, components of the Coruna toolkit were previously identified in a hacking campaign dubbed Operation Triangulation. In 2023, Russian cybersecurity firm Kaspersky alleged that the U.S. government attempted to hack several iPhones belonging to its employees, further illustrating the potential for government-developed tools to be repurposed and misused.
This incident is not isolated. In 2017, the U.S. National Security Agency discovered that its Windows hacking tools had been stolen. These tools were subsequently published and used in attacks such as the 2017 WannaCry ransomware incident attributed to North Korea. More recently, Peter Williams, former head of U.S. defense contractor L3Harris Trenchant, was sentenced to over seven years in prison after pleading guilty to selling eight exploits to a broker associated with the Russian government. Prosecutors indicated that these exploits had the potential to compromise millions of computers and devices worldwide.
The Coruna case highlights the critical need for robust cybersecurity measures and the importance of promptly updating devices to mitigate vulnerabilities. It also raises questions about the ethical implications of developing and deploying such tools, given their potential to fall into the wrong hands and be used against unintended targets.
