A significant security revelation usually results in a certain kind of silence, and this week’s silence over Cupertino feels heavier than most. Working with Google’s Threat Intelligence Group, iVerify has outlined what may be the first mass exploitation of iPhones that has been seen. This is not a targeted attack on a foreign minister or dissident, but rather something more widespread, messier, and difficult to ignore. The Coruna framework resembles a tool that started out inside the US government and then ended up somewhere it wasn’t supposed to.
You can practically see how it took place. A beautifully written piece of code laced with the kind of inside jokes that would only be scattered into comments by a native English speaker working on a defense contract. Rocky Cole, who has spent years observing the U.S. defense industrial base, described the codebase as “superb” because it was well-built, fluid, and the product of highly skilled individuals. Then, for some reason, it moved from its original location.
| Field | Details |
|---|---|
| Company | iVerify |
| Co-founder & COO | Rocky Cole |
| Chief Product Officer | Spencer Parker |
| Exploit Framework Name | Coruna |
| Malware Sample (reverse engineered) | CryptoWaters |
| Threat Actor Cluster (per Google) | UNC6691 |
| Devices Affected (initial estimate) | At least 42,000 iPhones |
| Historical Parallel | EternalBlue (NSA, 2017) → WannaCry, NotPetya |
| Linked Operation | Operation Triangulation (first surfaced by Kaspersky, 2023) |
| Apple’s Public Response | No comment as of publication |
| Free Detection Tool | iVerify Basic (free on iOS through May; eight days for Android) |
That is the part that ought to make people uneasy. For years, commercial spyware vendors have insisted that their products be used only for serious criminal investigations and counterterrorism. Anyone observing this area has begun to suspect that the reality is more chaotic. Control vanishes once a capability is sold. Brokers resell. Clients leak. Code is transportable. While the market it is intended to regulate continues to grow covertly, the Pall Mall Process, an effort to impose some voluntary safeguards around the spyware trade, continues to grind away in diplomatic rooms.
All of this is shadowed by EternalBlue, and not in a subtle way. After using a Windows vulnerability for years, the NSA watched it leak into the wild thanks to the Shadow Brokers. WannaCry appeared two months later. NotPetya, six weeks later. Hospitals ceased operations. Shipping firms froze. Billions were thought to have been damaged. Cole refers to this as a “EternalBlue moment” for mobile, and the echo is difficult to ignore. He might be exaggerating it. Since the analysis will take months, it’s also possible that he isn’t; we simply don’t know yet.
In some ways, the iPhone’s architecture exacerbates this. Although there are benefits to Apple keeping the platform locked down, it also means enterprise teams and independent security researchers have very little insight into what’s going on at the system level. Every other endpoint used in serious enterprise settings, including Windows laptops, Linux servers, and increasingly Macs, has a framework that allows the larger security community to assist in its defense. iPhones don’t. Cole feels personally frustrated by this issue, and it makes sense. Apple has released patches against Operation Triangulation, the campaign that Kaspersky revealed in 2023, and has published security guidelines for years that highlight how seriously it takes user safety. However, providing patches after the fact is not the same as allowing outside researchers to assist in identifying potential future developments.
As this story develops, it seems as though the days of viewing iPhones as somehow immune to the more complex realities of the security industry are coming to an end. By iOS standards, 42,000 devices is a huge number, and it could increase. There will be patches. The revelations will go on. The question that remains is whether Apple will open up or intensify its efforts to go it alone, and as of right now, nobody truly knows the answer.
