U.S. Military Contractor’s iPhone Hacking Tools Misused by Russian and Chinese Cyber Actors
In a startling revelation, sophisticated iPhone hacking tools originally developed by U.S. military contractor L3Harris have been exploited by Russian intelligence operatives and Chinese cybercriminals. These tools, intended for use by Western intelligence agencies, have been implicated in cyberattacks targeting individuals in Ukraine and China.
Google’s recent findings indicate that throughout 2025, a complex iPhone-hacking toolkit named Coruna was deployed in various global cyberattacks. Initially utilized in highly targeted operations by an undisclosed government client of an unnamed surveillance vendor, Coruna subsequently fell into the hands of Russian government spies. These operatives used the toolkit against select Ukrainian targets. Later, Chinese cybercriminals employed Coruna in widespread campaigns aimed at financial theft and cryptocurrency fraud.
Independent analysis by mobile cybersecurity firm iVerify suggests that Coruna may have been originally crafted by a company supplying the U.S. government. Two former employees of L3Harris’s hacking and surveillance division, Trenchant, have confirmed that Coruna was at least partially developed by their team. One former employee, familiar with iPhone hacking tools at Trenchant, stated, Coruna was definitely an internal name of a component. They further noted that the technical details of Coruna were strikingly familiar, aligning with their work at Trenchant.
L3Harris’s Trenchant division specializes in creating hacking and surveillance tools exclusively for the U.S. government and its allies within the Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given this limited clientele, it’s plausible that Coruna was initially acquired and utilized by one of these allied intelligence agencies before being misappropriated. However, the exact extent of Trenchant’s involvement in the development of the Coruna toolkit remains unclear.
The pathway through which Coruna transitioned from a tool used by Western intelligence to one exploited by Russian and Chinese actors is complex. Notably, Peter Williams, a former general manager at Trenchant, played a significant role in this narrative. Between 2022 and mid-2025, Williams illicitly sold eight of Trenchant’s hacking tools to Operation Zero, a Russian company offering substantial sums for zero-day exploits—vulnerabilities unknown to software vendors. Williams, an Australian citizen, was sentenced to seven years in prison after admitting to these unauthorized sales, which netted him $1.3 million.
The U.S. government condemned Williams’s actions, stating that he betrayed the United States and its allies. Prosecutors highlighted that the leaked tools could have enabled unauthorized access to millions of computers and devices globally, suggesting that these tools exploited widely used software like iOS.
Operation Zero, sanctioned by the U.S. government in February 2026, claims to work exclusively with the Russian government and local entities. The U.S. Treasury alleged that Operation Zero sold Williams’s stolen tools to at least one unauthorized user, potentially explaining how the Russian espionage group UNC6353 acquired Coruna. This group deployed Coruna on compromised Ukrainian websites to target specific iPhone users based on their geolocation.
It’s conceivable that after acquiring Coruna, Operation Zero resold the toolkit to other parties, including brokers, foreign governments, or cybercriminal organizations. The U.S. Treasury linked Operation Zero to financially motivated hackers, noting that a member of the Trickbot ransomware gang collaborated with the Russian broker. This connection suggests that Coruna may have changed hands multiple times before being utilized by Chinese hackers. U.S. prosecutors noted that Williams recognized code he had written and sold to Operation Zero being used by a South Korean broker, indicating a broader dissemination of the stolen tools.
The misuse of Coruna underscores the risks associated with the proliferation of sophisticated cyber tools. Originally developed for national security purposes, these tools can become potent weapons in the hands of adversaries when they fall into the wrong hands. This incident highlights the critical need for stringent security measures and oversight within defense contracting and intelligence operations to prevent similar breaches in the future.
