Google’s Threat Intelligence Group (GTIG) has identified and detailed a powerful exploit kit called Coruna, which targets older iOS devices to steal cryptocurrency wallet data and potentially drain funds.
It primarily exploits iPhones running iOS 13.0 through iOS 17.2.1 (spanning releases from September 2019 to December 2023). Newer versions (iOS 17.3 and later, including the current iOS as of 2026) are not vulnerable because Apple patched the relevant issues in those updates.
This is a drive-by and zero-click style exploit delivered via malicious or compromised websites; often fake finance, gambling, crypto, or news sites, including some Chinese-language scam pages. When a vulnerable iPhone visits the site, the kit fingerprints the device.
If it’s on an outdated iOS version, it deploys a chain of exploits; five full exploit chains using at least 23 vulnerabilities, some previously undisclosed. This allows sandbox escape, root access, and deep system compromise. Once inside, it scans for and extracts sensitive crypto data: mnemonic seed phrases (BIP39 recovery phrases), private keys, QR codes, encrypted wallet files, login credentials from apps, etc.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
Targeted Wallets and Apps
It specifically hunts data from popular crypto apps and wallets such as MetaMask, Phantom, Trust Wallet, Exodus, Uniswap, and around 18 others in total. First spotted by Google in early 2025. Initially linked to suspected nation-state actors; Russian intelligence targeting Ukrainian users via compromised “watering hole” sites.
Later repurposed for financially motivated cybercrime, especially via fake Chinese crypto and finance sites to mass-steal assets. It’s described as unusually sophisticated for commodity malware—more like commercial spyware or nation-state grade tools adapted for crypto theft.
Go to Settings > General > Software Update on your iPhone and install the latest iOS version available. This is the primary fix, as Coruna does not work on patched systems. If You Can’t Update (e.g., older hardware that no longer receives full updates): Enable Lockdown Mode (Settings > Privacy & Security > Lockdown Mode). This blocks the exploit chains and is explicitly recommended by Google and Apple for high-risk users.
Avoid clicking suspicious links or visiting untrusted sites especially anything promising crypto deals, airdrops, or urgent wallet actions. Use hardware wallets for large holdings instead of software and mobile wallets when possible. If your iPhone is on iOS 17.3 or newer, you’re not at risk from this specific kit.
Never enter seed phrases on any website or app unless you’re 100% sure it’s legitimate. Consider using a separate, up-to-date device for crypto activities if your main phone is older. This threat highlights how outdated devices become prime targets for sophisticated attackers shifting from targeted espionage to broader crypto theft.
Android users face several similar threats to the Coruna iOS exploit kit, though the Android ecosystem differs due to its open nature, sideloading risks, and widespread use of accessibility services abused by malware. Unlike Coruna’s sophisticated zero-click browser-based exploits targeting outdated iOS versions for crypto wallet data extraction, Android threats often rely on: Malware installed via phishing, fake apps, malvertising, or sideloaded APKs.
Abuse of Android’s Accessibility Services for remote control, UI automation, and silent data theft; opening wallet apps, capturing screens, extracting seed phrases and private keys. Overlay attacks, clipboard hijacking, or direct credential and seed phrase stealing.
Some RATs (Remote Access Trojans) enable live control to drain wallets during active sessions. These are frequently sold as Malware-as-a-Service (MaaS), making them accessible to lower-skill criminals for mass financial theft. Crypto-focused Android malware surged in 2025–2026, contributing to billions in overall crypto scam and fraud losses.
Albiriox: A rapidly evolving Android RAT and banking Trojan sold as MaaS. It provides live remote control over infected phones, allowing attackers to perform on-device fraud—quietly draining bank accounts and crypto wallets during real user sessions. It targets global finance and crypto services with structured modules for credential theft and transaction manipulation.