Google Warns Crypto Users About the Coruna iPhone Exploit Kit Stealing Seed Phrases

Key Takeaways:

Google’s Threat Intelligence Group flagged Coruna as an active iOS exploit kit targeting crypto wallet users.
The kit runs silently on iPhones using iOS 13.0 through 17.2.1 and requires no action from the user.
Updating to iOS 17.3 or later removes the vulnerability entirely.

Google’s Threat Intelligence Group has issued a public warning about a dangerous iOS exploit kit named Coruna. The kit targets iPhones running iOS versions 13.0 through 17.2.1. It silently steals seed phrases, private keys, and wallet data without the user ever clicking a link or approving a transaction.

Coruna originally appeared in commercial surveillance software. It later showed up in Russian espionage campaigns targeting Ukraine. Now, financially motivated criminal groups are using it to steal crypto at scale. This is a real, active threat, not a theoretical one.

🚨 ALERT: Google warns crypto scams are using an iPhone exploit kit called “Coruna,” targeting older iOS versions.

The kit scans for crypto wallets, seed phrases and financial data via malicious websites. pic.twitter.com/NMpjedPdQt
— Cointelegraph (@Cointelegraph) March 5, 2026

How the Coruna iPhone Exploit Kit Works

Coruna does not rely on phishing emails or fake apps. The attack starts the moment a user visits a compromised website. That site could be a spoofed crypto exchange, an aggressive pop-up page, or an untrusted news aggregator. No clicking, no downloading, and no approving anything.

The kit uses a JavaScript fingerprinting framework to detect the iPhone model and iOS version. If the device runs a vulnerable iOS version, it deploys one of 23 distinct exploit chains. Some of these exploit chains were previously unknown zero-day vulnerabilities. That means no one had patched them yet when Coruna first used them.

What Happens After the Device Is Compromised

Once inside the device, Coruna deploys a payload called PlasmaLoader. This is where the crypto theft actually happens. PlasmaLoader hunts for financial data across your entire device.

Here is what it specifically targets:

Seed phrases: Scans local files, Apple Notes, and saved images for BIP39 word sequences and keywords like “backup phrase,” “seed,” or “bank account.”
QR codes: Decodes QR codes stored in your photo library to extract private keys.
Wallet apps: Directly hooks into and pulls data from MetaMask, Trust Wallet, Uniswap, Phantom, Exodus, and Tonkeeper.
Clipboard data: Monitors copied text for wallet addresses and private key strings.

All extracted data gets sent to a remote command-and-control server. The process runs entirely in the background. Most victims have no idea it happened until their funds are gone.

Which Devices Are at Risk

The exploit works on iPhones running iOS 13.0 through 17.2.1. If your iPhone runs iOS 17.3 or later, the specific exploit chains Coruna uses do not work. Apple patched these vulnerabilities in that update. Checking your iOS version right now is the single most important step you can take.

Who Is Behind Coruna and Where It Came From

Security researchers traced Coruna back to a commercial surveillance vendor. Its development cost and technical sophistication suggest possible government origins. The kit first appeared in early 2025, used by paying surveillance customers. It then moved into the hands of a Russian espionage group known as UNC6353, which used it to target Ukrainians.

More recently, a Chinese-linked group identified as UNC6691 began using Coruna for broad-scale crypto theft campaigns. This pattern reflects a troubling trend. Advanced cyberweapons originally built for intelligence agencies eventually reach criminal groups willing to pay for them.

The people now using Coruna are not running basic scams. They are operating with the same technical tools previously reserved for nation-states. That changes the risk profile for every retail crypto user with a mobile wallet. Staying current on crypto security news has never been more important for protecting your holdings.

How to Protect Your Crypto from the Coruna Exploit

Coruna sounds alarming, and it is. However, the defenses against it are straightforward. Most of them require no technical skill at all.

Here are the steps every iPhone crypto user should take:

Update iOS immediately: Updating to iOS 17.3 or later fully removes the vulnerability. The exploit chains in Coruna do not work on patched devices.
Enable Lockdown Mode: If you cannot update your device due to hardware limits, turn on Lockdown Mode under Privacy and Security settings. Coruna skips execution when it detects Lockdown Mode is active.
Move holdings to a hardware wallet: Keeping significant crypto on a mobile device increases risk. A hardware wallet like Ledger or Trezor stores private keys offline, completely out of reach from software exploits.
Stop storing seed phrases digitally: Never save your seed phrase in Notes, screenshots, or cloud backups. Physical backups stored offline remain the safest option.
Avoid unverified crypto sites: Coruna spreads through watering hole attacks on fake or compromised websites. Stick to verified exchanges and platforms only.

For a broader look at keeping your digital assets secure, our wallet security guide covers the core principles every holder should know. If you store significant holdings on mobile, now is a good time to learn about hardware wallet options that keep your keys completely offline.

The Coruna threat is still evolving. Security researchers expect updated versions of the kit to appear soon. Staying patched and moving funds to cold storage are the most reliable ways to stay ahead of it.

Frequently Asked Questions

What is the Coruna iPhone exploit kit?

Coruna is a sophisticated iOS exploit kit that silently steals cryptocurrency wallet data from iPhones. It targets devices running iOS 13.0 through 17.2.1 and requires no user interaction to execute.

How does Coruna steal crypto without the user doing anything?

Visiting a compromised website triggers the attack automatically. The kit fingerprints the device, deploys an exploit chain suited to that iOS version, and then scans the device for seed phrases, private keys, and wallet app data.

Which crypto wallets does Coruna target?

Coruna specifically targets MetaMask, Trust Wallet, Uniswap, Phantom, Exodus, and Tonkeeper. It hooks directly into these apps to extract stored wallet credentials and keys.

Does updating iOS actually protect against Coruna?

Yes. Apple patched the vulnerabilities Coruna exploits in iOS 17.3. Updating to iOS 17.3 or any later version removes the attack surface entirely.

What should I do if I cannot update my iPhone?

Enable Lockdown Mode in your Privacy and Security settings. Coruna is programmed to skip execution when it detects Lockdown Mode is active. Additionally, move your crypto holdings to a hardware wallet as soon as possible.