Google’s Threat Intelligence Group (GTIG) is warning that a “new and powerful” iOS exploit kit, dubbed Coruna by its developers has been deployed on fake finance and crypto websites designed to lure iPhone users into visiting pages that can silently deliver exploits. For crypto holders, the risk is blunt: GTIG’s analysis shows the campaigns ultimately focused on harvesting seed phrases and wallet data from popular mobile apps.
Coruna targets Apple devices running iOS 13.0 through iOS 17.2.1, bundling five full exploit chains and 23 exploits. GTIG says it recovered the kit after tracking its evolution across 2025, from early use by a customer of a commercial surveillance company, to “watering hole” attacks on compromised Ukrainian websites, and finally to broad-scale distribution via Chinese-language scam sites tied to a financially motivated actor it tracks as UNC6691.
A Crypto Lure Designed For iPhones
In the scam-wave phase, GTIG says it observed the JavaScript framework behind Coruna deployed across a “very large set” of fake Chinese websites largely themed around finance. One example cited by GTIG is a fake WEEX-branded crypto exchange page that tried to push visitors onto an iOS device—after which a hidden iFrame would be injected to deliver the exploit kit “regardless of their geolocation.”
Related Reading
The delivery mechanics matter because they blur the line between traditional phishing and outright device compromise: in GTIG’s telling, simply arriving on the booby-trapped page from a vulnerable iPhone was enough to begin the chain. The framework fingerprints the device to identify model and iOS version, then loads the appropriate WebKit remote code execution exploit and a pointer authentication (PAC) bypass.
GTIG tied one WebKit RCE it recovered to CVE-2024-23222, noting it was addressed by Apple in iOS 17.3 on Jan. 22, 2024.
At the end of the chain, GTIG says Coruna drops a stager it calls PlasmaLoader (tracked as PLASMAGRID) and describes it as focused less on classic surveillance features and more on stealing financial information. According to GTIG, the payload can decode QR codes from images stored on the device and scan text blobs for BIP39 word sequences, along with keywords such as “backup phrase” and “bank account”, including in Apple Memos, which it can then exfiltrate.
Related Reading
The payload is also modular. GTIG says it can pull down and run additional modules remotely, and that many of the identified modules are designed to hook functions and exfiltrate sensitive information from common crypto wallet apps—among them MetaMask, Trust Wallet, Uniswap’s wallet, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper.
The broader arc was also flagged by mobile security firm iVerify, which published its own findings around the same time as GTIG’s report. “And that’s exactly what happened again here, but on mobile devices. Phone OEMs do as good a job as anyone can do…”
What Crypto Users Can Do Now
Google says Coruna “is not effective against the latest version of iOS,” and urges users to update. If updating isn’t possible, GTIG recommends enabling Apple’s Lockdown Mode. GTIG also says it added the identified websites and domains to Google Safe Browsing to help reduce further exposure.
For crypto-native users, the immediate takeaway is practical: mobile wallets sit at the intersection of high-value assets and high-frequency web traffic, which makes “visit-to-compromise” campaigns uniquely dangerous. GTIG’s reporting suggests the scam funnel wasn’t just about getting victims to connect wallets, it was about getting them onto the right device, on the right iOS version, so exploitation could do the rest.
At press time, the total crypto market cap stood at $2.45 trillion.
Featured image created with DALL.E, chart from TradingView.com
Credit: Source link
