iPhone Users Warned: Crypto Scams Can Trigger ‘Coruna’ iOS Exploits
Google’s Threat Intelligence Group (GTIG) is warning {that a} “new and highly effective” iOS exploit package, dubbed Coruna by its builders has been deployed on pretend finance and crypto web sites designed to lure iPhone customers into visiting pages that may silently ship exploits. For crypto holders, the chance is blunt: GTIG’s evaluation shows the campaigns in the end targeted on harvesting seed phrases and pockets information from common cell apps.
Coruna targets Apple units operating iOS 13.0 by iOS 17.2.1, bundling 5 full exploit chains and 23 exploits. GTIG says it recovered the package after monitoring its evolution throughout 2025, from early use by a buyer of a industrial surveillance firm, to “watering gap” assaults on compromised Ukrainian web sites, and eventually to broad-scale distribution through Chinese-language scam sites tied to a financially motivated actor it tracks as UNC6691.
A Crypto Lure Designed For iPhones
In the scam-wave section, GTIG says it noticed the JavaScript framework behind Coruna deployed throughout a “very giant set” of faux Chinese web sites largely themed round finance. One instance cited by GTIG is a pretend WEEX-branded crypto alternate web page that attempted to push guests onto an iOS gadget—after which a hidden iFrame could be injected to ship the exploit package “no matter their geolocation.”
The supply mechanics matter as a result of they blur the road between conventional phishing and outright gadget compromise: in GTIG’s telling, merely arriving on the booby-trapped web page from a weak iPhone was sufficient to start the chain. The framework fingerprints the gadget to establish mannequin and iOS model, then masses the suitable WebKit distant code execution exploit and a pointer authentication (PAC) bypass.
GTIG tied one WebKit RCE it recovered to CVE-2024-23222, noting it was addressed by Apple in iOS 17.3 on Jan. 22, 2024.
At the tip of the chain, GTIG says Coruna drops a stager it calls PlasmaLoader (tracked as PLASMAGRID) and describes it as targeted much less on traditional surveillance options and extra on stealing monetary data. According to GTIG, the payload can decode QR codes from pictures saved on the gadget and scan textual content blobs for BIP39 phrase sequences, together with key phrases akin to “backup phrase” and “checking account”, together with in Apple Memos, which it will probably then exfiltrate.
The payload can also be modular. GTIG says it will probably pull down and run extra modules remotely, and that lots of the recognized modules are designed to hook capabilities and exfiltrate delicate data from widespread crypto pockets apps—amongst them MetaMask, Trust Wallet, Uniswap’s pockets, Phantom, Exodus, and TON ecosystem wallets akin to Tonkeeper.
The broader arc was additionally flagged by cell safety agency iVerify, which revealed its personal findings across the identical time as GTIG’s report. “And that’s precisely what occurred once more right here, however on cell units. Phone OEMs do nearly as good a job as anybody can do…”
What Crypto Users Can Do Now
Google says Coruna “is just not efficient in opposition to the newest model of iOS,” and urges customers to replace. If updating isn’t potential, GTIG recommends enabling Apple’s Lockdown Mode. GTIG additionally says it added the recognized web sites and domains to Google Safe Browsing to assist cut back additional publicity.
For crypto-native customers, the rapid takeaway is sensible: cell wallets sit on the intersection of high-value belongings and high-frequency net visitors, which makes “visit-to-compromise” campaigns uniquely harmful. GTIG’s reporting suggests the rip-off funnel wasn’t nearly getting victims to attach wallets, it was about getting them onto the best gadget, on the best iOS model, so exploitation may do the remaining.
At press time, the overall crypto market cap stood at $2.45 trillion.