Coruna Exploit Kit Targets iPhone Crypto Wallet Users

Mobile cryptocurrency traders who rely on iPhones are facing a new and sophisticated cybersecurity threat after researchers identified an exploit framework capable of bypassing multiple layers of Apple’s security protections. The newly discovered tool, known as the Coruna exploit kit, reportedly combines more than twenty vulnerabilities within Apple’s mobile operating system to gain unauthorized access to devices and steal cryptocurrency assets.

Security analysts reported that the exploit kit is far more dangerous than conventional malware that typically crashes applications or delivers intrusive advertisements. Instead, the tool quietly scans compromised devices for sensitive crypto-related information. Its functions include locating BIP39 seed phrases, extracting QR codes, and retrieving private keys from devices that have not received the latest security updates. As a result, attackers can drain digital wallets before the device owner even realizes the browser environment has been compromised.

The discovery has generated concern within the digital asset industry because it reflects a shift in the sophistication of cybercrime targeting retail investors. For many years, highly complex exploit chains were believed to be primarily used by government intelligence agencies for targeted surveillance operations. However, researchers suggest that Coruna represents a turning point, indicating that advanced surveillance-grade cyber tools have now been adapted for widespread financial theft targeting everyday users.

Exploit Framework Uses One-Click Attack Strategy

According to findings outlined in a report by Google’s Threat Analysis Group, the Coruna exploit kit operates through an efficient one-click attack method. The attack is triggered when a user visits a malicious or compromised website, which often appears to be a legitimate gambling platform or online news service.

Once the page loads, the exploit targets weaknesses within WebKit, the browser engine used by iOS. By exploiting these vulnerabilities, attackers can breach the device and then deploy additional privilege escalation techniques to escape the browser’s restricted environment, commonly known as the sandbox.

The researchers noted that the exploit chain had been tested across multiple versions of Apple’s mobile operating system, specifically from iOS 13.0 through iOS 17.2.1. Through these entry points, the framework installs a wallet-draining payload specifically designed to locate and steal cryptocurrency credentials and assets.

After gaining access, the malware systematically scans the device’s file system for indicators associated with digital wallets. It also searches the photo library for QR codes that might contain wallet information and analyzes stored notes to locate mnemonic recovery phrases. Once these sensitive credentials are extracted, attackers can quickly transfer funds out of the victim’s wallet.

Shift From State Surveillance to Financial Cybercrime

Cybersecurity experts suggest that the complexity of the Coruna exploit chain mirrors tools previously associated with government surveillance operations. Historically, vulnerabilities of this scale were often used by specialized firms such as NSO Group to monitor high-profile individuals including journalists, diplomats, or political dissidents.

In this case, however, researchers believe the technology has been repurposed for financial gain. Evidence suggests that some of the vulnerabilities used in the Coruna toolkit resemble those previously weaponized in advanced cyber campaigns such as Operation Triangulation, which analysts suspected had state sponsorship.

The repackaging of these sophisticated exploits for criminal purposes significantly lowers the barrier for cybercriminals seeking to steal cryptocurrency. Security specialists indicate that even individuals with limited technical expertise may now be able to deploy attacks capable of draining wallets linked to widely used applications.

This development follows a pattern frequently observed in cybersecurity, where tools initially designed for espionage eventually spread into the broader criminal ecosystem. In the case of Coruna, analysts believe the attackers are primarily motivated by financial gain rather than intelligence collection.

Large-Scale Theft Targeting Crypto Wallet Users

Security firm iVerify reported that the exploit has already affected at least 42,000 devices, although the full financial impact remains unclear. The malware specifically targets directories linked to popular non-custodial cryptocurrency wallets, including MetaMask, Bitget Wallet—formerly known as BitKeep—and Trust Wallet.

If the encrypted storage associated with these wallets is weak or if passwords are stored in vulnerable locations such as compromised keychains or unsecured notes, attackers can gain immediate access and transfer the funds.

The threat is amplified by common user behavior among mobile crypto traders, who frequently interact with decentralized applications and authorize transactions while on the move. This convenience-driven behavior often results in weaker security practices, which the Coruna exploit takes advantage of.

Unlike phishing attacks that rely on tricking users into approving malicious transactions, this exploit focuses on directly stealing the cryptographic keys that control wallet access. Once those keys are obtained, attackers can transfer funds without requiring any further interaction from the victim.

Security Experts Urge Caution

Given the growing threat, security professionals are encouraging mobile crypto users to adopt stronger protective measures. One recommendation involves moving digital assets to hardware-based cold storage solutions such as Ledger or Trezor devices, which store private keys offline and significantly reduce exposure to malware attacks.

Experts also emphasize the importance of installing software updates promptly, avoiding suspicious websites, and exercising caution when interacting with unknown decentralized applications or token claim pages. As the cryptocurrency ecosystem continues to grow, analysts believe the emergence of advanced exploit frameworks like Coruna demonstrates that cybersecurity threats are evolving at the same pace as the technology itself.

The post Coruna Exploit Kit Targets iPhone Crypto Wallet Users appeared first on CoinTrust.