A widespread hacking operation aimed at iPhone users in Ukraine and China utilized tools likely developed by U.S. military contractor L3Harris, according to TechCrunch. These tools, intended for Western intelligence, were acquired by several hacking groups, including Russian and Chinese entities.
Google recently disclosed that throughout 2025, it detected a sophisticated iPhone-hacking suite known as “Coruna,” used in global attacks. Initially developed for an unnamed government client by an unknown “surveillance vendor,” Coruna was utilized by Russian spies against select Ukrainians and eventually by Chinese cybercriminals in broad campaigns targeting financial assets.
Security experts at iVerify, who performed an independent analysis of Coruna, believe it might have originated from a company that sold it to the U.S. government.
TechCrunch spoke with two former employees of L3Harris, who confirmed the involvement of the company’s hacking division, Trenchant, in Coruna’s partial development. Both sources, with direct experience in iPhone exploitation tools, requested anonymity as they were not authorized to discuss their work.
“Coruna was definitely an internal name of a component,” one ex-employee said, recognizing several technical details published by Google as familiar to them.
L3Harris markets hacking and surveillance systems exclusively to the U.S. government and its Five Eyes intelligence partners—Australia, Canada, New Zealand, and the UK. With this limited clientele, Coruna might have been first obtained by one of these intelligence agencies before reaching unauthorized entities, though the extent of Coruna’s development by Trenchant is unclear.
An L3Harris spokesperson did not respond to a request for comment.
Details about how Coruna transitioned from a Five Eyes government contractor to Russian and Chinese hacking entities remain unresolved.
This situation echoes the case of Peter Williams, a former general manager at Trenchant. Between 2022 and mid-2025, Williams unlawfully sold eight hacking tools to Operation Zero, a Russian company known for offering large sums for zero-day exploits—previously unknown software vulnerabilities. Williams, an Australian citizen, admitted to this breach and was sentenced to seven years in prison last month for the illegal sale, which amounted to $1.3 million.
U.S. authorities claimed Williams “betrayed” them, reportedly leaking tools capable of compromising countless devices globally by exploiting widespread software vulnerabilities like in iOS. Operation Zero, sanctioned by the U.S. Treasury last month, claims to work with the Russian government, having allegedly sold Williams’ stolen tools to unauthorized users.
This explains how the Russian group, identified by Google as UNC6353, obtained Coruna to breach Ukrainian websites, targeting specific iPhone users. Operation Zero might have resold Coruna to other buyers, including brokers, other countries, or cybercriminals. The U.S. Treasury linked Operation Zero to hackers with financial motives.
Coruna reached Chinese hackers likely through similar resales. Williams confirmed the reuse of his code in transactions with a South Korean broker.
Image Credits: Kaspersky and L3Harris
Operation Triangulation
According to Google researchers, Coruna exploits and vulnerabilities termed Photon and Gallium were deployed as zero-days in Operation Triangulation, a targeted operation allegedly against Russian iPhone users, first uncovered by Kaspersky in 2023.
iVerify co-founder Rocky Cole told TechCrunch that evidence suggests Trenchant and the U.S. government were behind Coruna’s development. While not definitive, this theory is supported by a timeline matching Williams’ leaks, similarities in modules with Triangulation, and shared exploitation methods.
Cole also referenced insider claims about Plasma’s usage in Operation Triangulation. Coruna targeted iPhone models from iOS 13 to 17.2.1, dates aligning with Williams’ leaks and Triangulation’s discovery.
Former Trenchant employees at L3Harris suspected that zero-days identified by Kaspersky were possibly stolen from the project involving Coruna.
Security researcher Costin Raiu noted the use of bird names like Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow in Coruna’s toolkit, a method attributed to Azimuth, a company acquired by L3Harris and incorporated into Trenchant, known for selling a hacking tool named Condor to the FBI.
Russia’s