Imagine a world where a powerful iPhone-hacking toolkit, possibly created for the US government, falls into the hands of foreign spies and cybercriminals. This isn’t a dystopian sci-fi plot—it’s happening right now. A highly sophisticated hacking tool known as “Coruna” has taken a shocking journey, from targeting Ukrainians in a suspected Russian espionage campaign to being used by cybercriminals to steal cryptocurrency from Chinese-speaking victims. But here’s where it gets even more unsettling: clues suggest this toolkit might have originated from a US contractor and was initially sold to the American government. How did it spiral so far out of control? And this is the part most people miss: it’s not just about one tool—it’s a wake-up call about the dangers of advanced hacking technologies falling into the wrong hands.
On Tuesday, Google’s security researchers released a detailed report on Coruna, a toolkit capable of exploiting 23 distinct vulnerabilities in iOS. This isn’t your average hack—it’s a rare, state-sponsored-level operation that can silently install malware on an iPhone simply by visiting a compromised website. Google first spotted components of Coruna in February last year, linked to a mysterious “customer of a surveillance company.” Five months later, it resurfaced in a Russian spy campaign targeting Ukraine. Then, it appeared again in a profit-driven scheme infecting Chinese-language crypto and gambling sites. The question on everyone’s mind: Who was the original customer? While Google’s report doesn’t name names, mobile security firm iVerify suggests the toolkit might have been built for or purchased by the US government.
But here’s the controversial part: Could this be an example of US-developed tools spinning out of control? iVerify’s cofounder, Rocky Cole, notes that Coruna’s code is highly sophisticated, written by English-speaking developers, and bears similarities to modules attributed to the US government. “This is the first time we’ve seen likely US government tools being used by both adversaries and cybercriminals,” Cole told WIRED. This raises a troubling question: Are we witnessing an ‘EternalBlue Moment’ for mobile devices? EternalBlue, a stolen NSA tool, led to catastrophic attacks like WannaCry and NotPetya. Could Coruna be the next big threat?
Google warns that Coruna’s proliferation suggests an active market for ‘second-hand’ zero-day exploits, where advanced hacking techniques are bought, sold, and repurposed. While Apple has patched the vulnerabilities in iOS 26, older versions remain at risk. iVerify estimates that tens of thousands of devices have already been compromised, with roughly 42,000 victims in the Chinese-language campaign alone. But how many more are out there? And who’s next?
Here’s another layer to this story: The cybercriminal version of Coruna included crudely written malware for stealing cryptocurrency, photos, and emails. But the core toolkit? Impressively polished and modular, according to iVerify’s Spencer Parker. “These things are very professionally written,” he says. This suggests the malware was added later by less skilled hackers, while the original toolkit was the work of a single, highly skilled author. Could this author be tied to the US government? Or is it a case of repurposed code from Operation Triangulation, which Russia blamed on US hackers? Cole argues the latter is unlikely, pointing to unique components in Coruna that have never been seen before.
But here’s the bigger question: How did this tool end up in foreign and criminal hands? Cole points to the shadowy world of zero-day brokers, who pay millions for exploits and sell them to the highest bidder. Case in point: Peter Williams, a US contractor, was sentenced to seven years in prison for selling hacking tools to a Russian broker. “These brokers tend to be unscrupulous,” Cole says. “They double dip and don’t care who they sell to.” So, is this a failure of oversight? Or an inevitable consequence of creating such powerful tools?
As the dust settles, one thing is clear: The genie is out of the bottle. Coruna’s journey highlights the risks of advanced hacking tools falling into the wrong hands. But what’s the solution? Should governments stop developing such tools? Or is better regulation the answer? Let us know your thoughts in the comments—this is a debate we can’t afford to ignore.
