News Froggy
newsfroggy
HomeTechReviewProgrammingGamesHow ToAboutContacts
newsfroggy

Your daily source for the latest technology news, startup insights, and innovation trends.

More

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

Categories

  • Tech
  • Review
  • Programming
  • Games
  • How To

© 2026 News Froggy. All rights reserved.

TwitterFacebook
Tech

Possible US Government iPhone-Hacking Tool Leaks to Foreign

A powerful iPhone-hacking toolkit, "Coruna," potentially developed for the US government, has reportedly leaked and is now being used by Russian spies and cybercriminals. Google discovered the sophisticated exploits, capable of silently hijacking iPhones, which were first seen targeting Ukrainians and later used to steal cryptocurrency from Chinese victims. This proliferation highlights a dangerous "second-hand" market for advanced cyber weapons.

PublishedMarch 4, 2026
Reading Time5 min
Possible US Government iPhone-Hacking Tool Leaks to Foreign

A sophisticated iPhone-hacking toolkit, potentially originating from a US government contractor, has reportedly fallen into the hands of Russian intelligence and, subsequently, cybercriminals. Dubbed "Coruna" by Google researchers, this powerful set of exploits, capable of silently hijacking iPhones by merely visiting a website, represents a critical security leak with alarming implications for global mobile device safety and international espionage. Its observed journey from targeting Ukrainians to stealing cryptocurrency from Chinese-speaking victims highlights a dangerous proliferation of advanced cyber capabilities.

Google's Tuesday report details Coruna as a highly advanced toolkit comprising five distinct hacking techniques that exploit 23 vulnerabilities in iOS. These techniques allow for the silent installation of malware on an iPhone simply by visiting a compromised website. Such a comprehensive collection of exploits suggests development by a well-funded, likely state-sponsored entity.

Coruna's Troubling Trajectory

The toolkit's evolution is a concerning timeline. Google initially detected components of Coruna in February of last year, attributing their use to an undisclosed “customer of a surveillance company.” Five months later, a more complete version resurfaced, employed in an espionage campaign by a suspected Russian spy group, discreetly embedded within visitor counters on Ukrainian websites. Most recently, Coruna has been observed in a purely profit-driven operation, infecting Chinese-language crypto and gambling sites to steal victims' cryptocurrency.

While Google's report is notably silent on the original "surveillance company customer," mobile security firm iVerify provides a strong suggestion: the code may have been built for or acquired by the US government. iVerify co-founder Rocky Cole points to Coruna's overlap with "Triangulation," a hacking operation discovered targeting Kaspersky in 2023, which Russia attributed to the NSA. Cole further notes the code appears to be originally written by English speakers and bears the "hallmarks of other modules that have been publicly attributed to the US government,” calling it the first instance of “very likely US government tools…spinning out of control.”

An "EternalBlue Moment" for Mobile

This potential leak raises profound questions about the security of mobile devices globally, akin to what iVerify’s Cole terms the “EternalBlue moment for mobile malware.” EternalBlue was an NSA Windows-hacking tool stolen and leaked in 2017, leading to widespread catastrophic cyberattacks like WannaCry and NotPetya. Google warns that Coruna's proliferation suggests an “active market for ‘second hand’ zero-day exploits,” meaning these advanced techniques could be adopted or adapted by various threat actors.

Apple has since patched the vulnerabilities exploited by Coruna in iOS 17.3 and later versions. However, devices running iOS 13 through 17.2.1 remain susceptible, particularly Safari users, as the toolkit targets Apple's Webkit framework. Coruna also checks for and avoids devices with Apple's Lockdown Mode enabled, providing a layer of protection for users who utilize this stringent security setting. Despite these limitations, iVerify estimates that the cybercriminal version of Coruna alone may have infected roughly 42,000 devices, based on command-and-control server traffic. The full extent of infections from the Russian espionage campaign remains unclear.

Professional Origins, Crude Alterations

Spencer Parker, iVerify's chief product officer, described the core Coruna exploits as "very professionally written" and modular, contrasting them with the "poorly written" additions made by cybercriminals to steal cryptocurrency, photos, and emails. Rocky Cole argues against the possibility of Coruna being merely repurposed components of Triangulation, emphasizing that many elements are novel and the entire toolkit appears to have been crafted by a "single author," indicating a cohesive, purpose-built framework.

The Role of Exploit Brokers

The precise mechanism of Coruna's potential leak remains a mystery. However, experts like Cole point to the shadowy industry of zero-day exploit brokers who deal in sophisticated hacking techniques for tens of millions of dollars. These brokers, often “unscrupulous,” may sell tools to the highest bidder without exclusivity arrangements. Cole suggests that Coruna likely “ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,” echoing the sentiment that “the genie is out of the bottle.” This scenario gains some context from recent events, such as the sentencing of Peter Williams, an executive of US government contractor Trenchant, who sold hacking tools to a Russian zero-day broker.

The emergence and wide-ranging proliferation of Coruna underscore a chilling new reality in cybersecurity. A potent, potentially state-developed, iPhone-hacking capability has now entered the global black market, posing an ongoing threat to individuals and national security interests alike, even as the original source and the full extent of its impact continue to unravel.

FAQ

Q: What is Coruna and why is it significant? A: Coruna is a highly sophisticated iPhone-hacking toolkit that exploits 23 vulnerabilities in iOS to silently install malware on devices. It's significant because it represents a rare and powerful capability, possibly originating from the US government, that has since proliferated to Russian spies and cybercriminals, raising major concerns about mobile security.

Q: Which iPhone users are vulnerable to Coruna? A: iPhone users running iOS versions 13 through 17.2.1 are primarily vulnerable, especially if using Safari, as the toolkit targets Apple's Webkit framework. Apple has patched these vulnerabilities in iOS 17.3 and later. Devices with Apple's Lockdown Mode enabled are not targeted by Coruna.

Q: How did Coruna potentially get into the hands of foreign adversaries and criminals? A: While unconfirmed, security experts suggest that unscrupulous zero-day exploit brokers, who operate a multi-million-dollar market for hacking tools, may have sold Coruna to various buyers. This could explain its journey from a potential US government source to Russian espionage operations and then to cybercriminal groups.

#iPhone#Cybersecurity#Hacking#US Government#Coruna

Related articles

JPMorgan Chase Taps Seattle for Critical AI Control Layer Development
Tech
GeekWireJul 15

JPMorgan Chase Taps Seattle for Critical AI Control Layer Development

Global financial giant JPMorgan Chase is making a significant strategic investment in Seattle, establishing a new AI software infrastructure team. This pivotal group will build an "AI control layer" to manage the bank's AI operations, aiming to control costs, protect intellectual property, and prevent vendor lock-in.

The Motorola Edge 70 Max is all about power: Android — Key Details
Tech
The VergeJul 15

The Motorola Edge 70 Max is all about power: Android — Key Details

Motorola has launched its new flagship, the Edge 70 Max, designed for power users with a massive 7100mAh silicon-carbon battery and 25W Qi2 wireless charging. It’s the first Android phone since the Pixel 10 Pro XL to support full 25W Qi2, surpassing other Qi2-enabled Androids capped at 15W. The device also offers 90W wired charging and a Snapdragon 8 Gen 5 chip.

Programming
Hacker NewsJul 15

Is Your Smart Fridge a Scraper? New Data Uncovers Hidden Botnets

New data from Anubis' honeypot reveals a pervasive scraping problem, with nearly 90% of observed scraper IPs not on traditional threat lists. This global phenomenon is likely driven by compromised smart appliances, highlighting a hidden botnet threat. The findings underscore the need for advanced WAFs and user vigilance in securing IoT devices.

DeepMind CEO calls for independent body to regulate frontier AI
Tech
TechCrunchJul 14

DeepMind CEO calls for independent body to regulate frontier AI

DeepMind CEO Demis Hassabis has proposed an independent standards body, modeled after FINRA, to regulate frontier AI models. The body would test advanced AI systems and develop best practices for their release, initially on a voluntary basis before potentially becoming mandatory. This initiative aims to provide technically focused, adaptable oversight to the rapidly evolving field of AI.

OnePlus is reportedly bailing on the US: Oppo — Key Details
Tech
The VergeJul 14

OnePlus is reportedly bailing on the US: Oppo — Key Details

OnePlus, and parent company Oppo, are reportedly exiting the US and European markets, with an announcement due shortly. This follows months of rumors and signals a major shift in the Western smartphone landscape.

startups: The web is now mostly bots. Cloudflare is rebuilding its
Tech
The Next WebJul 14

startups: The web is now mostly bots. Cloudflare is rebuilding its

Cloudflare has launched Precursor, a new defense system, in response to bots now generating over 57% of all web traffic. Precursor monitors entire user sessions to distinguish humans from sophisticated bots, moving beyond traditional single-check methods. This initiative is part of a broader strategy to classify and manage AI agents, control content reuse, and rebuild the web's foundational infrastructure for a machine-dominated internet.

Back to Newsroom

Stay ahead of the curve

Get the latest technology insights delivered to your inbox every morning.