When a government-grade cyberweapon escapes its handlers, the consequences are rarely contained. The disclosure this week of an iPhone exploitation toolkit called Coruna, reported by Google's Threat Intelligence Group, is a case study in precisely that kind of institutional failure — and it carries direct implications for Australia's national security posture.
Google's Threat Intelligence Group published its findings on Tuesday, describing Coruna as one of the most technically sophisticated iPhone hacking toolkits ever observed in the wild. The exploit kit targets Apple iPhone models running iOS version 13.0 through to version 17.2.1, and contains five full iOS exploit chains along with a total of 23 individual exploits. The core technical value of the kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. That level of capability does not come cheap or easy.
The toolkit appears to have traveled from the hands of Russian spies who used it to target Ukrainians to a cybercriminal operation designed to steal cryptocurrency from Chinese-speaking victims, and some clues suggest it may have been originally created by a US contractor and sold to the American government. Researchers at mobile security firm iVerify, who analysed the toolkit alongside Google, were unambiguous about what its provenance implies. "It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," iVerify's researcher told Wired.
Google's threat researchers first observed Coruna being used in February 2025 by a customer of a surveillance company, then in July 2025 in watering hole attacks by a suspected Russian espionage group against Ukrainian websites, and finally in December 2025 via fake Chinese gambling and cryptocurrency websites. The trajectory is alarming: a tool that began life in what appear to be tightly controlled government hands passed through a foreign intelligence service and landed with financially motivated criminals within the space of roughly ten months.
The scale of infection is sobering. The volume of connections to a command-and-control server suggests that roughly 42,000 devices may have already been hacked with the toolkit in the for-profit campaign alone. Just how many other victims Coruna may have hit, including Ukrainians who visited websites infected with the code by the suspected Russian espionage operation, remains unclear. Those numbers represent real people: journalists, activists, officials, and ordinary citizens who visited what appeared to be legitimate websites.
The EternalBlue Moment for Mobile
Researchers have drawn an explicit parallel to one of the most consequential intelligence failures in cybersecurity history. iVerify's analyst described this as "the EternalBlue moment for mobile malware"; EternalBlue was the Windows-hacking tool stolen from the National Security Agency and leaked in 2017, leading to its use in catastrophic cyberattacks including North Korea's WannaCry worm and Russia's NotPetya attack. The comparison is pointed. Once a weapon of this sophistication enters the black market, attribution becomes murky and containment becomes impossible.
The question of how Coruna escaped is unresolved, but the broader ecosystem that could facilitate such leakage is becoming clearer. Peter Williams, an executive of US government contractor Trenchant, was sentenced this month to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025. Williams' sentencing memo notes that Trenchant sold hacking tools to the US intelligence community as well as others in the Five Eyes group, which includes Australia, Canada, and New Zealand. Whether Coruna and the Trenchant case are connected remains unconfirmed, but the proximity is difficult to ignore.
"How this proliferation occurred is unclear, but suggests an active market for 'second hand' zero-day exploits," Google's report reads. The zero-day brokerage industry operates in a regulatory grey zone, with firms offering tens of millions of dollars for previously unknown vulnerabilities that governments and intelligence agencies then deploy for offensive operations. When those tools leak, the asymmetry of harm is stark: governments lose a capability, while adversaries and criminals gain one.
Australia's Exposure
From a national security perspective, Australia's position within the Five Eyes intelligence-sharing arrangement is a double-edged consideration here. On one hand, it means Australian agencies benefit from some of the most sophisticated signals intelligence on the planet. On the other, Trenchant's documented sales to Five Eyes partners raise legitimate questions about the oversight frameworks governing how allied contractors handle tools that could ultimately be turned against the citizens those alliances exist to protect.
The Australian Signals Directorate has not commented publicly on Coruna. That restraint is understandable, given classification obligations, but it does leave a transparency gap that democratic accountability requires be addressed at some level.
Defenders Have Some Room to Act
There is practical good news, limited but real. Apple has patched the vulnerabilities used by Coruna in the latest versions of its mobile operating system, iOS 26, meaning its exploitation techniques are only confirmed to work against iOS 13 through 17.2.1. Coruna is not effective against the latest version of iOS, and for users who cannot upgrade, enabling Lockdown Mode or using private browsing neutralises it, as Coruna performs checks to avoid execution under such defensive configurations. For most Australians, the immediate mitigation is straightforward: update your device.
The harder problem is structural. Governments across the democratic world, including Australia, have long maintained that offensive cyber capabilities are essential tools of statecraft. That argument has merit; the ability to penetrate adversary networks provides genuine strategic value. But the Coruna case forces a reckoning with the costs of that posture when controls fail. "This is the first example we've seen of very likely US government tools, based on what the code is telling us, spinning out of control and being used by both our adversaries and cybercriminal groups," the iVerify researcher told Wired.
Reasonable people can disagree about where precisely to draw the line between legitimate intelligence capabilities and the proliferation risk they create. What is harder to dispute is that the current oversight regime, across the Five Eyes and beyond, has not kept pace with the speed at which these tools move once they leave government hands. The Coruna exploit kit provides another example of how sophisticated capabilities proliferate. Addressing that gap requires neither abandoning offensive cyber capabilities nor pretending they can be held forever in perfect secrecy. It requires honest, evidence-based governance, of the kind that democratic governments owe their citizens.