A mass hacking effort aimed at iPhone users in Ukraine and China used tools reportedly developed by U.S. military contractor L3Harris, TechCrunch has found. Initially intended for Western intelligence, these tools ended up with various hacking gangs, including Russian and Chinese groups.
Google recently exposed that during 2025, it identified a sophisticated iPhone-hacking toolkit used globally. Known as “Coruna” by its developer, the toolkit consisted of 23 components initially used by a government customer through an undisclosed surveillance vendor. Eventually, Russian spies used it against Ukrainians, and Chinese hackers aimed it at broader campaigns for financial gain.
iVerify’s researchers independently analyzed Coruna and suggested it might have been originally crafted by a company that sold it to the U.S. government.
Two former L3Harris employees informed TechCrunch that Coruna was partially developed by Trenchant, the company’s hacking tech division. Both spoke anonymously, citing restrictions against discussing their work.
“Coruna was definitely an internal name,” stated one ex-employee familiar with iPhone hacking tools from Trenchant.
They further said, inspecting the technical details Google disclosed, many were recognizable.
Former Trenchant staff indicated the broader toolkit included Coruna and similar exploits. Another ex-employee confirmed aspects of the publicly detailed toolkit were from Trenchant.
L3Harris provides Trenchant’s tools solely to the U.S. and its Five Eyes allies, including Australia, Canada, New Zealand, and the UK. Given Trenchant’s few clients, Coruna likely started with one of these governments’ intelligence before reaching unintended users, although how much of the published Coruna was from L3Harris remains unclear.
L3Harris declined to comment.
The path from a Five Eyes contractor to Russian hackers and then to Chinese cybercriminals for Coruna is uncertain.
This echoes the case of Peter Williams, an ex-Trenchant manager who sold eight company tools to the Russian group Operation Zero. Williams, accused of exploiting “full access” to Trenchant’s resources, sold these tools for $1.3 million. These tools could have potentially accessed millions of global devices.
Operation Zero, sanctioned by the U.S., allegedly resold the hacked tools, explaining how Russian spies employed them, as Google identified group UNC6353 deploying Coruna on compromised Ukrainian sites targeting specific iPhone users.
It’s plausible that after acquiring Coruna, Operation Zero sold it onwards, linking it to financially motivated cybercriminals.
Eventually, Coruna went to Chinese hackers. Williams noted seeing his code, sold to Operation Zero, being repurposed through a South Korean intermediary.
Google documented that two Coruna exploits, Photon and Gallium, were used as zero-days in Operation Triangulation, a campaign against Russian iPhone users, initially revealed by Kaspersky in 2023.
Rocky Cole, from iVerify, surmised Trenchant and the U.S. initially developed Coruna. This conclusion stemmed from Coruna’s usage aligning with Williams’ leaks, its module structure mirroring Triangulation, and shared exploits.
Reportedly, “defense community” sources claimed Plasma was used in Triangulation, although there’s no public evidence.
Coruna targeted iPhones with iOS 13 to 17.2.1, aligning with Williams’ leaks and Triangulation’s timeline.
Upon Triangulation’s 2023 reveal, Trenchant employees suspected some zero-days Kaspersky noted were from their toolkit.
Use of bird names for Coruna tools hints at a link to Trenchant — Azimuth, later part of Trenchant, sold hacking tools to the FBI.
After exposing Triangulation, the FSB accused the NSA of hacking Russian iPhones. Kaspersky didn’t confirm the FSB’s claims but noted overlap in compromise indicators identified by the NCCCI.
Kaspersky couldn’t attribute Operation Triangulation; however, Google linked Coruna due to common vulnerabilities, yet noting attribution shouldn’t rely solely on them.
Kaspersky did not publicly claim U.S. government involvement in Triangulation, though its campaign logo possibly signalled a connection.
In 2014, Kaspersky disclosed a group dubbed “Careto,” later privately assessed as Spanish-run.
Cybersecurity journalist Patrick Gray speculated Williams might have leaked the Triangulation kit to Operation Zero.
Apple, Google, and Operation Zero didn’t comment.