When a weapon designed for one purpose ends up in the hands of people it was never intended for, a certain kind of unease sets in. That’s essentially what’s happening at the moment with a piece of iPhone-hacking software called Coruna, and those monitoring it can’t quite agree on how concerned everyone should be.
Early this year, researchers at Google and the mobile security company iVerify spent time dissecting a hacking toolkit that, on paper, sounds almost unremarkable: five exploit chains, twenty-three vulnerabilities, all targeted at older iPhones. However, the specifics are anything but ordinary. Nothing needs to be clicked by the user. They are not required to open a dubious link or download a file. All they need to do is go to any website that has been covertly altered to provide the code. While the phone is in someone’s pocket, it is compromised.
Coruna’s travel history sets it apart from the typical iOS malware. Google linked pieces of it to an anonymous buyer who was only identified as a “customer of a surveillance company” in February of last year. A more sophisticated version surfaced months later in what researchers believe to be a Russian espionage campaign embedded in regular website analytics code across Ukrainian sites—the kind of thing nobody thinks to check. Then, for some reason, the same underlying toolkit reappeared, but this time it was stripped of its spy mission and targeted Chinese-speaking cryptocurrency holders directly, draining wallets rather than obtaining intelligence.
This kind of trajectory begs the obvious and unsettling question, “Who built this thing in the first place?” Rocky Cole, a cofounder of iVerify who worked for the NSA for many years before quitting government employment, is quite candid about how he interpreted the evidence. He believes that the code’s structure, native-level English comments, and overlap with an earlier campaign known as Triangulation—which Russia openly attributed to US intelligence—all suggest that it originated in the United States. However, he takes care to be cautious, pointing out that he has been out of government for too long to assert insider knowledge. He will only say, “It’s a good bet, though certainly not a sure bet,” on record.
Cole’s observation of the craftsmanship is not unique. In contrast to the crude crypto-draining code that criminals later bolted onto it, Spencer Parker, chief product officer of iVerify, described the underlying exploit framework as remarkably polished, almost suspiciously so. Reading the analysis gives the impression that this software was impacted by two very different skill levels at two very different stages of its development. Something modular and disciplined was created by one author. Much later, someone else pieced together additions that, in contrast, appear almost amateurish.
Naturally, none of this occurs in a vacuum. This story’s shape will be familiar to anyone who has followed cybersecurity for more than a few years because it has happened before. The NSA-developed Windows exploit EternalBlue, which was stolen and leaked in 2017, ultimately drove Russia’s NotPetya attack and North Korea’s WannaCry ransomware, two of the most catastrophic cyberattacks ever. Cole refers to Coruna as “the EternalBlue moment for mobile malware,” and it’s difficult to argue that this comparison is exaggerated.
The scale is actually known with greater certainty. iVerify collaborated with a company that counts connections to the command-and-control servers responsible for the crypto-theft version of Coruna and has visibility into network traffic. They estimate that, just among Chinese-language scam websites, about 42,000 devices were compromised in that campaign. It is genuinely unclear how many more victims there are among the Ukrainian targets or where else this code has covertly traveled. Google has not responded. Apple hasn’t provided much information either.
Additionally, there’s the question of how something this advanced could have escaped from controlled hands in the first place. Hacking tools don’t just disappear. Former government contractor Trenchant employee Peter Williams entered a guilty plea last year to selling at least eight company exploits to a Russian buyer thought to be Operation Zero, a broker later sanctioned by the Treasury Department. He received a seven-year sentence. It’s speculative as to whether Coruna went through a similar pipeline, an insider cashing out in secret. But considering how profitable the zero-day resale market has grown, it’s not unrealistic speculation.
The underlying flaws in iOS 26 have been fixed by Apple, and Lockdown Mode is said to completely prevent the attack. Even so, it’s difficult to ignore how much of the public’s safety in this situation depends on people just updating their outdated phones—something that, according to Apple’s own statistics, a sizable portion of iPhone owners still haven’t done. The instruments that were supposed to be kept in a government vault are now unlocked. It’s no longer really an option to put them back.
