Cybercriminals are now using government-grade iPhone hacking tools

Security researchers have discovered a sophisticated collection of hacking tools that can compromise iPhones running older versions of Apple’s software, and they say the toolkit appears to have moved from a government customer to cybercriminals.

Google said on Tuesday that it first detected the exploit kit, known as Coruna, in February 2025 during an attempt by a surveillance vendor to hack a person’s phone with spyware on behalf of a government client. Months later, Google found the same exploit kit being used against Ukrainian users in a large-scale campaign carried out by a Russian espionage group. It was later identified as the toolkit again in the hands of a financially motivated hacker operating in China.

It remains unclear how the hacking tools leaked or spread. Still, Google’s security researchers warned that a new market may be taking shape for what they described as “secondhand” exploits — tools that are resold to hackers seeking to squeeze more financial value out of them.

The finding also highlights how exploits and back doors created for government use can escape into the wild and later be misused by cybercriminals or other non-state actors. Mobile security firm iVerify obtained the tools and reverse-engineered them, saying in a blog post that it connected the Coruna exploit kit to the U.S. government based on similarities to hacking frameworks previously attributed to the United States.

“The more widespread the use, the more certain a leak will occur,” iVerify said. “While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Google said the hacking toolkit is especially powerful because it can defeat iPhone defences simply by getting a target to visit a malicious website containing the exploit code — for example, by sending the person a harmful link — in what is known as a “watering hole” attack. According to Google, the Coruna kit can compromise an iPhone through five attack paths by leveraging and chaining 23 distinct vulnerabilities. Devices at risk include iPhone models running iOS 13 through iOS 17.2.1, which Apple released in December 2023.

According to Wired, which first reported the development, the Coruna kit includes components previously seen in a 2023 hacking campaign known as Operation Triangulation. In that campaign, Russian cybersecurity company Kaspersky said a threat actor had attempted to hack several iPhones belonging to its employees. Russia’s Federal Security Service (FSB) blamed the intrusions on the U.S. government.

Although leaks of government-grade hacking tools are relatively uncommon, they are far from unprecedented. In 2017, the U.S. National Security Agency discovered that tools it had developed to hack Windows computers worldwide had been stolen. One of those Windows backdoors, known as EternalBlue, was later published online and used by cybercriminals in subsequent attacks, including North Korea’s 2017 WannaCry ransomware campaign.

There was also the recent case involving Peter Williams, the former head of U.S. defence contractor L3Harris Trenchant, who was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to a broker known to work with the Russian government.

Prosecutors said Williams sold exploits capable of hacking “millions of computers and devices” around the world. At least one of those exploits was sold to a South Korean broker. It is still unclear whether the exploits were disclosed to the affected software vendors or whether patches were issued.