An iPhone-hacking technique used in the wild to indiscriminately hijack the devices of any iOS user who merely visits a website represents a rare and shocking event in the cybersecurity world. Now one powerful hacking toolkit at the center of multiple mass iPhone exploitation campaigns has taken an even rarer and more disturbing path: It appears to have traveled from the hands of Russian spies who used it to target Ukrainians to a cybercriminal operation designed to steal cryptocurrency from Chinese-speaking victims—and some clues suggest it may have been originally created by a US contractor and sold to the American government.

Security researchers at Google on Tuesday released a report describing what they're calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.

In fact, Google traces components of Coruna to hacking techniques it spotted in use in February of last year and attributed to what it describes only as a “customer of a surveillance company.” Then, five months later, Google says a more complete version of Coruna reappeared in what appears to have been an espionage campaign carried out by a suspected Russian spy group, which hid the hacking code in a common visitor-counting component of Ukrainian websites. Finally, Google spotted Coruna in use yet again in what seems to have been a purely profit-focused hacking campaign, infecting Chinese-language crypto and gambling sites to deliver malware that steals victims’ cryptocurrency.

Conspicuously absent from Google's report is any mention of who the original surveillance company “customer” that deployed Coruna may have been. But the mobile security company iVerify, which also analyzed a version of Coruna it obtained from one of the infected Chinese sites, suggests the code may well have started life as a hacking kit built for or purchased by the US government. Google and iVerify both note that Coruna contains multiple components previously used in a hacking operation known as “Triangulation” that was discovered targeting Russian cybersecurity firm Kaspersky in 2023, which the Russian government claimed was the work of the NSA. (The US government didn’t respond to Russia’s claim.)

Coruna's code also appears to have been originally written by English-speaking coders, notes iVerify's cofounder Rocky Cole. “It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," Cole tells WIRED. “This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups.”

An “EternalBlue Moment”

Regardless of Coruna's origin, Google warns that a highly valuable and rare hacking toolkit appears to have traveled through a series of unlikely hands, and now exists in the wild where it could still be adopted—or adapted—by any hacker group seeking to target iPhone users.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google's report reads, using the term zero-day to refer to secret hacking techniques that exploit unpatched vulnerabilities. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities.”

iVerify's Cole notes that if Coruna actually began life as a tool intended for the US government, though, it also raises questions about the security of mobile devices in a world where highly sophisticated hacking tools created for or sold to the American government can leak to adversaries. “This is the EternalBlue moment for mobile malware,” says Cole. EternalBlue is the Windows-hacking tool stolen from the National Security Agency and leaked in 2017, leading to its use in catastrophic cyberattacks, including North Korea's WannaCry worm and Russia's NotPetya attack.

Google notes that Apple patched vulnerabilities used by Coruna in the latest versions of its mobile operating system, iOS 26, so its exploitation techniques are only confirmed to work against iOS 13 through 17.2.1. It targets vulnerabilities in Apple's Webkit framework for browsers, so Safari users on those older versions of iOS would be vulnerable, but there's no confirmed techniques in the toolkit for targeting Chrome users. Google also notes that Coruna checks if an iOS devices has Apple's most stringent security setting, known as Lockdown Mode, enabled, and doesn’t attempt to hack it if so.

Despite those limitations, iVerify says Coruna likely infected tens of thousands of phones. The company consulted with a partner that has access to network traffic and counted visits to a command-and-control server for the cybercriminal version of Coruna infecting Chinese-language websites. The volume of those connections suggest, iVerify says, that roughly 42,000 devices may have already been hacked with the toolkit in the for-profit campaign alone.

Just how many other victims Coruna may have hit, including Ukrainians who visited websites infected with the code by the suspected Russian espionage operation, remains unclear. Google declined to comment beyond its published report. Apple did not immediately provide comment on Google or iVerify's findings.

A Single, Very Professional Author

In iVerify's analysis of the cybercriminal version of Coruna—it didn't have access to any of the earlier versions—the company found that the code appeared to have been altered to plant malware on target devices designed to drain cryptocurrency from crypto wallets as well as steal photos and, in some cases, emails. Those additions, however, were “poorly written” compared to the underlying Coruna toolkit, according to iVerify chief product officer Spencer Parker, which he found to be impressively polished and modular.

“My God, these things are very professionally written,” Parker says of the exploits included in Coruna, suggesting that the cruder malware was added by the cybercriminals who later obtained that code.

As for the code modules that suggest Coruna’s origins as a US government toolkit, iVerify’s Cole notes one alternative explanation: It’s possible that Coruna’s code overlaps with the Operation Triangulation malware that Russia pinned on US hackers could be based on Triangulation’s components being picked up and repurposed after they were discovered. But Cole argues that’s unlikely. Many components of Coruna have never been seen before, he points out, and the whole toolkit appears to have been created by a “single author,” as he puts it.

“The framework holds together very well,” says Cole, who previously worked at the NSA, but notes that he's been out of the government for more than a decade and isn't basing any findings on his own outdated knowledge of US hacking tools. “It looks like it was written as a whole. It doesn’t look like it was pieced together.”

If Coruna is, in fact, a US hacking toolkit gone rogue, just how it got into foreign and criminal hands remains a mystery. But Cole points to the industry of brokers that may pay tens of millions of dollars for zero-day hacking techniques that they can resell for espionage, cybercrime, or cyberwar. Notably, Peter Williams, an executive of US government contractor Trenchant, was sentenced this month to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memo notes that Trenchant sold hacking tools to the US intelligence community as well as others in the “Five Eyes” group of English-speaking governments—the US, UK, Australia, Canada and New Zealand—though it's not clear what specific tools he sold or what devices they targeted.

“These zero-day and exploit brokers tend to be unscrupulous," says Cole. “They sell to the highest bidder and they double dip. Many don’t have exclusivity arrangements. That’s very likely what happened here.”

“One of these tools ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,” Cole concludes. “The genie is out of the bottle.”