Security researchers have identified a suite of powerful hacking tools capable of compromising iPhones that has passed from a government customer into the hands of cybercriminals. Google said it first identified the exploit kit, dubbed Coruna, in February 2025 during a surveillance vendor's attempt to hack into someone's phone with spyware on behalf of a government customer.
The toolkit, dubbed Coruna, contains multiple exploits capable of surreptitiously compromising Apple devices running older versions of iOS. Researchers say the codebase appears as a professionally developed platform, raising concerns that a tool originally built for covert government use may have escaped controlled channels.
Both iVerify and Google's Threat Intelligence Group identified five exploit chains leveraging more than 20 vulnerabilities across iOS 13 through 17.2.1, older versions of the iPhone operating system released between September 2019 and December 2023. The toolkit targets flaws in WebKit, the engine powering Safari, and checks for Lockdown Mode first, backing off if it finds it active.
The security threat intensified this week when researchers announced the discovery of a second exploit toolkit, Darksword, planted on dozens of websites in Ukraine in recent weeks, capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones. Researchers with cyber firm Lookout, mobile security firm iVerify and Alphabet's Google published co-ordinated analyses of the malware they dubbed Darksword. On March 3, Google and iVerify revealed Coruna. Researchers found Darksword hosted on the same servers.
The path these tools have taken raises alarming questions about government accountability. Google found the exploit kit targeting Ukrainian users in a broad-scale campaign by a Russian espionage group, and then later found it used by a financially motivated hacker in China. It's unclear how the tools leaked or proliferated, but Google security researchers warned of an emerging market for "secondhand" exploits, which are sold to hackers motivated by money to extract more value out of the exploit.
A US government contractor named Peter Williams reinforced the risk in March 2026, receiving seven years in prison for selling hacking tools to a Russian zero-day broker between 2022 and 2025. This case demonstrates how difficult it is for authorities to contain sophisticated tools once they exist.
An estimated 42,000 iPhones have been compromised by a cybercriminal version of Coruna, a hacking toolkit that security researchers believe was originally built by or for the US government. The criminal variant plants malware that drains cryptocurrency wallets and steals photos and emails.
For Australian iPhone users, the threat is tangible but manageable. The exploits in the Coruna tool kit that plagued iOS 13 through 17.2.1, as well as CVE-2026-20700 for iOS 26, have all been patched. If you haven't updated your iPhone to the newest software, or if you're not sure which version you have, check for updates by opening the Settings app.
Where updating isn't possible, enabling Lockdown Mode adds a layer of protection since the kit specifically avoids devices with it turned on. Apple offers Lockdown Mode, though this feature isn't meant for everybody. Since it will ultimately restrict many of the features and functions of your device, it's only meant for high-profile cyber-criminal targets like politicians, celebrities, and investigative journalists.
The broader implication cuts deeper. The discovery of two distinct powerful iOS exploits this month suggests a robust ecosystem for tools that were previously limited primarily to state-level intelligence operations, according to iVerify's co-founder and COO Rocky Cole. This signals a fundamental problem with how governments develop and secure offensive cyber capabilities. Once created, containing them becomes nearly impossible.