Security researchers have discovered a powerful suite of hacking tools capable of compromising Apple iPhones with older software, now believed to have moved from a government entity to cybercriminals. Google identified the exploit kit, named Coruna, in February 2025 during an attempt by a surveillance vendor to hack a phone with spyware for a government client. Google later found the kit targeting Ukrainian users in a campaign by a Russian espionage group and being used by a financially motivated hacker in China.
The methods of the tools’ leakage or spread are unknown, but Google security experts highlighted a growing market for “second hand” exploits, sold to financially driven hackers. This illustrates how tools meant for governmental use can leak and be abused by criminals. iVerify, a mobile security firm that reverse-engineered the tools, connected Coruna to the U.S. government based on previously U.S.-attributed hacking methods.
“The broader the usage, the more likely a leak will occur,” iVerify stated. Though this tool might be a leaked U.S. framework, it indicates that such tools will eventually reach bad actors. Google indicated the tools’ ability to bypass iPhone defenses via visiting a malicious site, known as a “watering hole” attack. Coruna can hack iPhones by using 23 vulnerabilities. Devices affected include versions from iOS 13 to 17.2.1, released in December 2023.
Wired, who first reported the news, noted that Coruna includes components from Operation Triangulation. In 2023, Kaspersky, a Russian firm, claimed that the U.S. government attempted to hack iPhones of its employees.
Though rare, leaks of hacking tools do happen. The NSA’s tools for hacking Windows systems were stolen in 2017 and publicly released, with criminal use in attacks like North Korea’s 2017 WannaCry ransomware. TechCrunch also covered the sentencing of Peter Williams, former head of L3Harris Trenchant, who was jailed for over seven years after selling eight exploits to a Russian broker.
According to prosecutors, Williams sold exploits capable of hacking millions of devices worldwide, with at least one sold to a South Korean broker. It’s unknown if these exploits were disclosed to software companies or patched.