Show summary Hide summary
A sophisticated iPhone-hacking kit originally created for Western intelligence partners has resurfaced in multiple global campaigns, researchers say, linking the same set of tools to both state-backed espionage and broad financial cybercrime. The revelations, first outlined by technology firms in 2025, underscore how powerful offensive software can leak beyond its intended users and be repurposed with wide-reaching consequences.
Security firms that examined the toolkit — known internally as Coruna — say it comprises more than 20 distinct components and was initially deployed in highly targeted operations. Over time, the package appears to have moved from limited government use into the hands of a Russian espionage group and later Chinese cybercriminal gangs, who used it in large-scale fraud and cryptocurrency theft.
Who built the toolkit — and how it spread
Independent analysis by mobile-security researchers pointed to a vendor that supplies intrusion tools to U.S. government agencies. Two former employees familiar with the vendor’s iPhone exploitation efforts identified Coruna as at least partly developed inside the hacking division of defense contractor L3Harris, a unit previously known by the name Trenchant.
OpenAI CEO makes amends with Tumbler Ridge community after backlash
Walmart sales trend echoes past recessions: rising risk for consumers
Those former workers, speaking anonymously because they were not authorized to discuss past projects, said that Coruna was an internal component name within Trenchant’s broader toolkit. Company officials did not respond to requests for comment.
The likely path for the toolkit’s dissemination remains murky, but public prosecutions and prior reporting sketch a plausible route: a former Trenchant manager admitted to stealing multiple hacking tools and selling them to a Russian exploit broker in exchange for cash. U.S. prosecutors say some of those tools later reached unauthorized users, including state and criminal actors.
From targeted surveillance to mass financial crime
Researchers note a clear shift in how the toolkit was used. Initially, the exploit modules were employed in tightly focused operations against specific targets. Later, variants of the same codebase appeared in broad campaigns aimed at money and cryptocurrency theft across multiple countries.
Google’s 2025 disclosure described the set of components and linked two specific zero-day exploits — dubbed Photon and Gallium by their original authors — to earlier operations. Those same exploits were observed in a campaign security firms call Operation Triangulation, which targeted iPhones in Russia and was first publicized in 2023.
Security researchers caution that overlaps in exploited vulnerabilities do not always equate to direct attribution, since technical details of vulnerabilities circulate once disclosed. Still, the timing and structural similarities between modules in Coruna and previously reported operations have convinced some analysts that the toolkit’s origins are connected to a small set of government customers and vendors.
Why this matters now
The case illustrates several pressing risks: powerful offensive cyber tools can be siphoned out of controlled programs; brokers can convert intelligence-grade capabilities into commodities; and once in criminal hands, those tools scale rapidly to affect thousands of ordinary users.
- Escalation risk: Capabilities designed for targeted espionage were adapted for mass financial attacks.
- Supply-chain vulnerability: Insider theft and third‑party brokers can move sensitive exploits from government inventories to unauthorized actors.
- Attribution difficulty: Shared vulnerability use complicates efforts to pin responsibility, slowing public response and diplomatic pressure.
- End-user impact: Devices running iOS versions from about 2019 through late-2023 were within the toolkit’s stated range, potentially exposing many users retroactively.
Legal fallout and open questions
In a related prosecution, a former Trenchant manager pleaded guilty to selling several proprietary tools to a broker that the U.S. government says worked closely with Russian entities. That case is cited by investigators as a key example of how offensive capabilities leave controlled environments.
But attribution still has staunch critics. A senior researcher who has tracked Operation Triangulation warned that exploitation of widely known vulnerabilities can be replicated by many groups, meaning shared technical fingerprints alone are rarely decisive. Some security vendors deliberately stop short of public attribution even when private signals point toward a likely source.
Investigations continue into which parts of the published Coruna materials were built by the contractor and which may have been adapted or combined by later users. Tech companies that first flagged the activity say the toolkit targeted iPhones running iOS 13 through 17.2.1 — a span of releases from September 2019 to December 2023 — which helps narrow the period when the exploits were active.
What to watch next
Expect further analysis from security labs and possible follow-up legal actions as researchers and prosecutors try to trace the toolkit’s chain of custody. Meanwhile, technology platforms and device makers will likely continue emergency patching and advisory work when zero-days tied to these campaigns are publicly revealed.
Companies named in reporting did not immediately provide responses to requests for comment.
