Security researchers have uncovered a hacking toolkit designed to compromise Apple iPhones and steal cryptocurrency wallet data.

Threat analysts at Google say the exploit kit specifically targets crypto users by searching infected devices for wallet seed phrases and other financial information.

The tool, known as Coruna, focuses on iPhones running older versions of iOS.

According to Google Threat Intelligence Group, the kit contains several exploit chains capable of accessing sensitive information from targeted devices.

Researchers said they first identified parts of the attack infrastructure in early 2025 and later observed the exploit appearing in espionage activity as well as networks of fraudulent cryptocurrency websites designed to steal digital assets.

Researchers said Coruna targets iPhones running iOS versions from 13.0 up to 17.2.1.

The framework contains five full exploit chains and a total of 23 vulnerabilities, including several previously unknown exploits.

The Google Threat Intelligence Group said the first traces of the toolkit appeared in February 2025 during an investigation involving a surveillance company customer.

Attackers used JavaScript code to fingerprint visiting devices.

This allowed them to determine whether the iPhone was vulnerable before delivering the appropriate exploit chain.

Researchers said the exploit does not function on the latest iOS versions.

They therefore advised users to install the most recent updates released by Apple or enable Lockdown Mode, a security feature designed to counter sophisticated cyber attacks.

Further analysis showed the exploit framework later appeared on multiple compromised Ukrainian websites.

The malicious code was configured so that it would only be delivered to selected iPhone users located in specific geographic regions.

Researchers later identified the same framework embedded across a large network of fake Chinese websites connected to finance and cryptocurrency services.

Some of these websites impersonated legitimate platforms.

One example discovered by researchers spoofed the cryptocurrency exchange WEEX.

When an iPhone user visits one of these websites, the exploit kit is delivered to the device.

The software then scans the phone for financial information, analysing messages and stored data for seed phrases and keywords such as backup phrase or bank account.

The exploit also searches for installed cryptocurrency applications such as Uniswap and MetaMask to locate wallet data.

Researchers said the exploit kit was initially linked to a suspected Russian espionage group targeting Ukrainian individuals.

Later investigations revealed the same infrastructure being used in campaigns involving fake crypto websites designed to steal funds.

The reuse of the exploit framework across espionage and financial attacks illustrates how sophisticated hacking infrastructure can spread between threat groups.

The origin of the Coruna exploit kit remains unclear and is being debated among cybersecurity researchers.

Mobile security company iVerify told WIRED the toolkit may have been developed or purchased by the US government because of its complexity and development cost.

However, researchers at Kaspersky said they found no evidence showing code reuse linking Coruna to previously known US government cyber tools.

A principal security researcher told The Register that currently available reports do not support that attribution.

The post Google uncovers iPhone exploit kit targeting crypto wallet seed phrases appeared first on Invezz

Bitcoin price in Telegram @btc_price_every_hour

110 +