Imagine a world where a powerful iPhone-hacking toolkit, possibly created for the US government, falls into the hands of foreign spies and cybercriminals. This isn’t a plot from a spy thriller—it’s happening right now. A highly sophisticated hacking tool known as “Coruna” has been making waves in the cybersecurity world, and its journey is as shocking as it is alarming. But here’s where it gets even more unsettling: this toolkit, capable of silently hijacking iPhones by exploiting 23 distinct vulnerabilities in iOS, has been linked to campaigns targeting Ukrainians, Chinese-speaking cryptocurrency users, and potentially many others. And this is the part most people miss—there’s growing evidence suggesting it might have originated from a US contractor and been sold to the American government before spiraling out of control.
On Tuesday, Google’s security researchers released a detailed report on Coruna, describing it as a rare and dangerous collection of hacking techniques. These techniques allow attackers to bypass all iPhone defenses and install malware simply by tricking users into visiting a compromised website. What’s truly alarming is the toolkit’s complexity, which hints at the involvement of a well-funded, state-sponsored group. But the story doesn’t end there. Google traced parts of Coruna back to a hacking campaign from February last year, attributed to a mysterious ‘customer of a surveillance company.’ Months later, it resurfaced in an espionage campaign by suspected Russian spies targeting Ukraine. And then, in a shocking twist, it was used in a profit-driven scheme to steal cryptocurrency from Chinese-speaking victims.
But here’s the controversial part: While Google’s report avoids naming the original ‘customer,’ mobile security firm iVerify suggests the toolkit may have been built for or purchased by the US government. This raises a critical question: How did a tool potentially created for national security end up in the hands of adversaries and cybercriminals? Some clues point to similarities between Coruna and ‘Triangulation,’ a hacking operation Russia blamed on the NSA. iVerify’s cofounder, Rocky Cole, notes that the code’s sophistication and English-speaking origins align with tools attributed to the US government. ‘This is the first example we’ve seen of likely US government tools spinning out of control,’ Cole told WIRED. Is this the beginning of a new era where state-sponsored tools become weapons for anyone with deep pockets?
This situation has been dubbed an ‘EternalBlue Moment’ for mobile devices, referencing the infamous NSA tool that leaked in 2017 and fueled global cyberattacks like WannaCry and NotPetya. Just as EternalBlue exposed the dangers of weaponized exploits, Coruna highlights the risks of advanced hacking tools falling into the wrong hands. While Apple has patched the vulnerabilities in iOS 26, older versions remain at risk, potentially leaving millions of devices vulnerable. iVerify estimates that tens of thousands of phones have already been infected in the cryptocurrency theft campaign alone.
But here’s the bigger question: How did Coruna leak, and what does this mean for the future of cybersecurity? The answer may lie in the shadowy world of zero-day exploit brokers, who buy and sell hacking tools to the highest bidder. As Rocky Cole points out, ‘These brokers tend to be unscrupulous. They sell to anyone and double dip.’ With brokers like Operation Zero paying millions for such tools, it’s no surprise that even government-grade exploits can end up in criminal hands. Is this a failure of oversight, or an inevitable consequence of the cyber arms race?
As we grapple with these questions, one thing is clear: the genie is out of the bottle. Coruna’s journey from a possible US government tool to a weapon for spies and criminals is a stark reminder of the dangers of unchecked cyber capabilities. What do you think? Is this a wake-up call for stricter regulations on hacking tools, or an unavoidable risk in the digital age? Let’s discuss in the comments.
