Government iPhone hacking tools found in criminal hands, Google says
Mar 4th 2026
Security researchers say a powerful exploit kit called Coruna, tied to a government surveillance vendor, has leaked into the wild and is now being used by Russian espionage actors and cybercriminals to target iPhones running older iOS versions.
- Google discovered the Coruna exploit kit in February 2025 after a surveillance vendor used it for a government customer.
- Google later observed Coruna used in a broad campaign against Ukrainian users by a Russian espionage group and in a separate attack by a financially motivated hacker in China.
- Coruna can compromise iPhones running iOS 13 through 17.2.1 by chaining 23 separate vulnerabilities and delivering exploits via malicious websites or links.
- Mobile security firm iVerify linked Coruna to U.S. government tools based on similarities to previously attributed frameworks.
- Researchers warn a growing market for secondhand exploits is enabling leaked government tools to be resold and abused by non-state actors.
- Past incidents such as the NSA EternalBlue leak and the sale of exploits by a former contractor show how government hacking tools can fuel widespread cybercrime.