Googleโs Threat Intelligence Group (GTIG) is warning that a โnew and powerfulโ iOS exploit kit, dubbed Coruna by its developers has been deployed on fake finance and crypto websites designed to lure iPhone users into visiting pages that can silently deliver exploits. For crypto holders, the risk is blunt: GTIGโs analysis shows the campaigns ultimately focused on harvesting seed phrases and wallet data from popular mobile apps.
Coruna targets Apple devices running iOS 13.0 through iOS 17.2.1, bundling five full exploit chains and 23 exploits. GTIG says it recovered the kit after tracking its evolution across 2025, from early use by a customer of a commercial surveillance company, to โwatering holeโ attacks on compromised Ukrainian websites, and finally to broad-scale distribution via Chinese-language scam sites tied to a financially motivated actor it tracks as UNC6691.
A Crypto Lure Designed For iPhones
In the scam-wave phase, GTIG says it observed the JavaScript framework behind Coruna deployed across a โvery large setโ of fake Chinese websites largely themed around finance. One example cited by GTIG is a fake WEEX-branded crypto exchange page that tried to push visitors onto an iOS deviceโafter which a hidden iFrame would be injected to deliver the exploit kit โregardless of their geolocation.โ
Related Reading
The delivery mechanics matter because they blur the line between traditional phishing and outright device compromise: in GTIGโs telling, simply arriving on the booby-trapped page from a vulnerable iPhone was enough to begin the chain. The framework fingerprints the device to identify model and iOS version, then loads the appropriate WebKit remote code execution exploit and a pointer authentication (PAC) bypass.
GTIG tied one WebKit RCE it recovered to CVE-2024-23222, noting it was addressed by Apple in iOS 17.3 on Jan. 22, 2024.
At the end of the chain, GTIG says Coruna drops a stager it calls PlasmaLoader (tracked as PLASMAGRID) and describes it as focused less on classic surveillance features and more on stealing financial information. According to GTIG, the payload can decode QR codes from images stored on the device and scan text blobs for BIP39 word sequences, along with keywords such as โbackup phraseโ and โbank accountโ, including in Apple Memos, which it can then exfiltrate.
Related Reading
The payload is also modular. GTIG says it can pull down and run additional modules remotely, and that many of the identified modules are designed to hook functions and exfiltrate sensitive information from common crypto wallet appsโamong them MetaMask, Trust Wallet, Uniswapโs wallet, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper.
The broader arc was also flagged by mobile security firm iVerify, which published its own findings around the same time as GTIGโs report. โAnd thatโs exactly what happened again here, but on mobile devices. Phone OEMs do as good a job as anyone can doโฆโ
What Crypto Users Can Do Now
Google says Coruna โis not effective against the latest version of iOS,โ and urges users to update. If updating isnโt possible, GTIG recommends enabling Appleโs Lockdown Mode. GTIG also says it added the identified websites and domains to Google Safe Browsing to help reduce further exposure.
For crypto-native users, the immediate takeaway is practical: mobile wallets sit at the intersection of high-value assets and high-frequency web traffic, which makes โvisit-to-compromiseโ campaigns uniquely dangerous. GTIGโs reporting suggests the scam funnel wasnโt just about getting victims to connect wallets, it was about getting them onto the right device, on the right iOS version, so exploitation could do the rest.
At press time, the total crypto market cap stood at $2.45 trillion.
Featured image created with DALL.E, chart from TradingView.com
