Researchers from Google have reported a new set of vulnerabilities for iPhone that are being used in attacks targeting crypto wallet owners. The scheme is simple in form but dangerous in consequence. The user visits a fake website, and then the exploits attempt to access data related to asset access.
The tool has been named Coruna. According to Google, it was used on fake financial-themed resources, including pages that imitated industry services.
Which iOS Versions the Attack Targets
According to the Google Threat Intelligence Group, the set targets devices running iOS from version 13 up to 17.2.1. Inside the package, 23 vulnerabilities and several ready-made attack chains were found. Some issues, according to the researchers, had not been publicly described before.
The key point for users is that, as reported, this set no longer works on current versions of iOS. Therefore, the most obvious protection step is to update the system.
If you cannot update the device, Google recommends enabling Lockdown Mode. This is a high-security mode that limits certain iPhone functions and reduces the chance of a successful sophisticated attack.
How Attackers Select the Exploit
The attack starts with a fake website. When it is opened from an iPhone, JavaScript runs on the page to collect information about the device. It checks the model, iOS version, and other parameters. This is needed to send the exact hacking scenario that fits the specific configuration.
Then the server loads the vulnerability chain and tries to access sensitive data on the device. The goal is not just to infect the phone, but to quickly find something that can be monetized.
What Exactly They Seek on the Phone
According to Google, attackers are interested in data that could lead to loss of funds. First and foremost, these are seed phrases and similar wording that users sometimes store in notes, messages, or screenshots.
The malicious logic also targets financial markers. It may look for words like backup phrase and bank account to extract anything related to wallet or banking access data.
It is also noted that attackers try to detect installed apps related to cryptocurrency. Popular wallets and services that can be used to withdraw assets or access account credentials are in their sights.
History of Emergence and Changing Targets
Google notes that it first noticed elements of this set at the beginning of 2025. Later, similar fragments were found on hacked Ukrainian websites, with code distribution, according to researchers, occurring selectively and tied to geography.
By the end of the year, the same toolkit appeared on a large number of fake Chinese-language financial-themed websites. Among them was a resource disguised as a crypto exchange.
Debate Over Origin
Following the publication, the question arose as to who might be behind the development. Mobile company iVerify believes that the level of complexity suggests an expensive and professional development. In their view, this may have been a tool originally created for state-level tasks, which later ended up in the hands of other players.
Meanwhile, Kaspersky stated that available reports do not confirm direct code reuse that would reliably link Coruna to specific authors. So the debate is not about the fact of the attacks, but about the origin of the technology.
What This Means for Wallet Owners
The main takeaway here is practical. Mobile phishing is becoming more sophisticated and closer to the level of targeted attacks. In such conditions, basic hygiene is still decisive. Updating iOS, being cautious with links, and avoiding storing seed phrases in notes or chats are more useful than any advice after a hack.
Read More: Bitcoin Returns Above $73,000 Amid War With Iran, but Analysts Warn of Risks
