Imagine a world where a powerful iPhone-hacking toolkit, possibly created for the US government, falls into the hands of foreign spies and cybercriminals. This isn’t a plot from a spy thriller—it’s happening right now. A highly sophisticated hacking tool known as “Coruna” has been making waves in the cybersecurity world, and its journey is as shocking as it is alarming. But here’s where it gets even more unsettling: this toolkit, capable of silently hijacking iPhones by exploiting 23 distinct vulnerabilities in iOS, has been linked to campaigns targeting Ukrainians, Chinese-speaking cryptocurrency users, and potentially many others. And this is the part most people miss—it might have started as a US government project.
Security researchers at Google recently unveiled Coruna in a detailed report, describing it as a rare and powerful exploit kit. It works by bypassing all of an iPhone’s defenses when the user visits a website containing the malicious code, allowing hackers to install malware undetected. What’s truly alarming is the toolkit’s sophistication, suggesting it was developed by a well-funded, state-sponsored group. Google traced parts of Coruna back to techniques spotted in 2023, attributed to a mysterious “customer of a surveillance company.” Months later, it resurfaced in an espionage campaign by suspected Russian spies targeting Ukraine. Then, it appeared again in a profit-driven scheme, infecting Chinese-language crypto and gambling sites to steal cryptocurrency.
But who was the original creator? While Google’s report avoids naming names, mobile security firm iVerify suggests the toolkit may have been built for or purchased by the US government. This theory is bolstered by similarities to the “Triangulation” hacking operation, which Russia claimed was the work of the NSA. iVerify’s cofounder, Rocky Cole, notes that Coruna’s code bears the hallmarks of US government tools, including its high sophistication and English-speaking origins. “This is the first example we’ve seen of likely US government tools spinning out of control,” Cole told WIRED. Is this the beginning of a new era where state-sponsored tools fall into the wrong hands?
This situation has drawn comparisons to the infamous “EternalBlue” leak, where an NSA hacking tool was stolen and used in devastating cyberattacks like WannaCry and NotPetya. Coruna’s proliferation raises critical questions about the security of mobile devices and the risks of creating such powerful tools. While Apple has patched the vulnerabilities in iOS 26, older versions remain at risk, potentially exposing millions of users.
But here’s the controversial part: If Coruna was indeed a US government tool, how did it end up in the hands of adversaries and cybercriminals? Some experts point to the shadowy world of zero-day exploit brokers, who buy and sell hacking techniques to the highest bidder. For instance, a US contractor was recently sentenced to seven years in prison for selling hacking tools to a Russian broker. Could this be how Coruna leaked? And if so, what does this mean for global cybersecurity?
iVerify estimates that Coruna has already infected tens of thousands of devices, with one campaign alone targeting roughly 42,000 victims. Yet, the full scope of its impact remains unknown. Apple has yet to comment, and Google’s report leaves many questions unanswered. Is this the tip of the iceberg, or just the beginning of a larger crisis?
One thing is clear: Coruna’s code is remarkably professional, suggesting it was created by a single, highly skilled author. While cybercriminals added cruder malware to the toolkit, the core framework is impressively polished. This raises another question: If this tool was meant for legitimate purposes, how did it become a weapon for profit and espionage?
As the debate heats up, one thing is certain—the genie is out of the bottle. Coruna’s journey from a possible US government project to a tool for foreign spies and criminals is a stark reminder of the dangers of unchecked hacking capabilities. What do you think? Is this a failure of oversight, or an inevitable consequence of the cyber arms race? Let’s discuss in the comments.
