Google has uncovered a sophisticated exploitation framework known as Coruna that targets Apple iPhones and is being used to steal cryptocurrency from unsuspecting users.
The discovery was made by Google’s Threat Intelligence Group after investigators observed the toolkit operating in real-world phishing campaigns against iPhone users.
Security researchers reported that Coruna specifically targets Apple devices running iOS versions between 13.0 and 17.2.1 through carefully crafted malicious websites.
The toolkit contains advanced exploit chains designed to compromise devices once a victim visits a compromised webpage disguised as a legitimate cryptocurrency platform.
Investigators said attackers frequently lure users to fraudulent crypto trading or wallet websites that appear authentic to gain the victim’s trust.
Once the malicious site loads, a hidden JavaScript script automatically analyses the visitor’s device model and iOS version to determine which exploit chain should be deployed.
The exploit then runs silently in the background and allows attackers to gain access to sensitive information stored on the compromised device.
Researchers confirmed that the malware is capable of extracting cryptocurrency wallet recovery phrases, login credentials, passwords and other private information.
Attackers can use this information to access digital wallets and transfer cryptocurrency assets away from victims within seconds.
Analysts noted that most victims targeted in the campaign appear to be cryptocurrency holders who interact with digital asset platforms through mobile browsers.
The origin of the Coruna exploit kit remains uncertain, although investigators observed similarities with tools previously associated with sophisticated threat groups.
The toolkit has reportedly been detected on fraudulent Chinese cryptocurrency websites as well as phishing campaigns directed at Ukrainian users.
After the exploit was discovered, Google alerted Apple about the vulnerabilities being abused by the Coruna framework.
Apple subsequently released security updates designed to patch several of the weaknesses exploited by the malicious toolkit.
Despite the patches, researchers warn that devices running outdated versions of iOS remain vulnerable to these types of attacks.
Cybersecurity specialists advise iPhone users to update their devices immediately to the latest version of iOS to ensure known vulnerabilities are patched.
Experts also recommend enabling Apple’s Lockdown Mode, which is designed to limit attack surfaces and block sophisticated exploitation attempts.
Users are strongly advised to avoid clicking links from unknown sources, particularly those promoting cryptocurrency investments or trading opportunities.
Security professionals emphasise the importance of verifying website addresses carefully before entering sensitive information on any crypto-related platform.
Analysts further recommend storing digital assets in hardware wallets rather than relying solely on mobile applications connected to the internet.
Hardware wallets provide an additional security layer because private keys remain stored offline and cannot easily be accessed by malware.
The exposure of Coruna highlights how phishing attacks targeting cryptocurrency investors are becoming increasingly complex and difficult to detect.
Researchers warn that cybercriminals continue to refine their techniques as the value of digital assets grows worldwide.
Security experts say the best defence remains user vigilance combined with updated software and careful handling of cryptocurrency credentials.