iPhone Users Warned: Crypto Scams Can Trigger ‘Coruna’ iOS Exploits

Overview

Google’s Threat Intelligence Group (GTIG) has issued a warning regarding a newly identified iOS exploit kit, referred to as Coruna, which targets iPhone users through fake financial and crypto websites. This exploit kit is particularly concerning for crypto holders, as its primary goal is to harvest sensitive seed phrases and wallet data from popular mobile applications.

The Coruna Exploit Kit

The Coruna exploit kit is designed to target Apple devices running iOS versions from 13.0 to 17.2.1. GTIG’s analysis reveals that the kit comprises five complete exploit chains and 23 individual exploits. GTIG traced the evolution of Coruna from its initial use in 2025, beginning with a commercial surveillance company to executing “watering hole” attacks on compromised Ukrainian websites. Ultimately, the kit has been distributed broadly through Chinese-language scam sites linked to a financially motivated actor identified as UNC6691.

Delivery Mechanism

During its investigation, GTIG found that the JavaScript framework associated with Coruna has been deployed across a vast array of counterfeit Chinese websites, many of which are finance-themed. One specific example included a fraudulent crypto exchange page branded as WEEX, which attempted to lure visitors using iOS devices. Once a user accessed the compromised page, a hidden iFrame would be injected to deliver the exploit kit, regardless of the user’s geolocation.

GTIG highlighted the significance of these delivery mechanics, noting that simply visiting the malicious page from a vulnerable iPhone could initiate the exploitation process. The framework is capable of fingerprinting the device to ascertain its model and iOS version, subsequently loading the appropriate WebKit remote code execution exploit along with a pointer authentication (PAC) bypass.

Payload and Capabilities

The exploit kit culminates in the deployment of a stager named PlasmaLoader, also tracked as PLASMAGRID. Unlike traditional surveillance tools, PlasmaLoader is primarily focused on stealing financial data. GTIG reported that the payload can decode QR codes from images stored on the device and scan text blobs for BIP39 word sequences, including keywords like “backup phrase” and “bank account.” This information can be exfiltrated from various applications, including Apple Memos.

The modular nature of the payload allows it to download and execute additional modules remotely. Many of these modules are tailored to intercept and exfiltrate sensitive information from popular crypto wallet applications, including MetaMask, Trust Wallet, Uniswap’s wallet, Phantom, Exodus, and Tonkeeper.

From author

This warning from GTIG underscores the evolving tactics employed by cybercriminals targeting mobile users, particularly in the crypto space. The ability of the Coruna exploit kit to silently compromise devices by simply visiting a malicious webpage illustrates the growing sophistication of such threats. As mobile wallets continue to be a focal point for crypto activity, users must remain vigilant and take proactive measures to protect their assets.

Impact on the crypto market

• Increased awareness among crypto holders regarding the security risks associated with mobile wallets.
• Potential rise in demand for enhanced security measures and solutions within the crypto community.
• Heightened scrutiny on mobile applications and their vulnerabilities, particularly those related to financial transactions.
• Possible impacts on user confidence in mobile crypto transactions, leading to shifts in how crypto is accessed and managed.
• Influence on regulatory discussions surrounding mobile security and user protection in the crypto market.