Google just revealed one of the most sophisticated attacks against iPhones ever documented. It's called Coruna (also known as CryptoWaters), an exploit kit containing 23 vulnerabilities and 5 complete exploit chains targeting iPhones running iOS 13.0 through 17.2.1. The primary goal: stealing Bitcoin and cryptocurrency from unsuspecting users. After analyzing Google's report, I can say this is a game-changer for mobile security.
What is Coruna and why is it so dangerous
The Google Threat Intelligence Group (GTIG) published its findings on March 3, 2026. Coruna isn't ordinary malware: it's a nation-state-grade exploitation kit that passed from surveillance vendors to Chinese criminal groups.
What makes Coruna especially dangerous is its attack chain:
- You visit a compromised website (watering hole attack)
- The exploit achieves remote code execution via Safari (CVE-2024-23222)
- It escalates privileges to take full control of the iPhone
- Installs payloads disguised as .min.js files
- Steals private keys from cryptocurrency wallets
Who is behind the attack
| Phase | Actor | Objective | Period |
|---|---|---|---|
| 1 | Surveillance vendor | Targeted espionage | Feb 2025 |
| 2 | UNC6353 (Ukraine) | Watering hole attacks | Mid 2025 |
| 3 | UNC6691 (China) | Mass crypto theft | Late 2025 - 2026 |
According to iVerify, this marks the first observed mass exploitation against iOS devices. The kit evolved from a government surveillance tool into an industrial-scale financial theft machine.
How to check if your iPhone is at risk
Your iPhone is vulnerable if it meets BOTH conditions:
- Running iOS 17.2.1 or earlier (any version from iOS 13.0)
- You use Safari to browse (the exploit enters via WebKit)
To check your iOS version:
Settings > General > About > Software VersionIf it says 17.3 or higher (including iOS 18.x), you're protected. Coruna does NOT work on recent versions.
How to protect yourself right now
In my experience with mobile security threats, these are the immediate actions to take:
- Update iOS immediately:
Settings > General > Software Update - Enable Lockdown Mode if you handle cryptocurrency:
Settings > Privacy & Security > Lockdown Mode. Google confirmed that Coruna self-terminates when it detects Lockdown Mode is active. - Move crypto to a hardware wallet: Private keys stored on a Ledger or Trezor never touch the iOS environment. Even a fully compromised iPhone cannot access funds secured offline.
- Check for suspicious activity in your crypto wallets. If you see unauthorized transactions, move remaining funds immediately.
Common issues
I can't update iOS (not enough space)
Free up at least 3GB: delete old photos/videos, unused apps, or connect to WiFi and leave the phone charging overnight (iOS downloads the update automatically).
I have an older iPhone that doesn't support iOS 17.3+
If you have an iPhone 8 or earlier, you CAN'T update to iOS 17. Your best protection is to enable Lockdown Mode (available since iOS 16) and avoid browsing unknown sites in Safari. I've been recommending that users with older devices use an alternative browser like Firefox Focus.
My crypto was already stolen — what do I do?
Document the transactions, report to local police and the exchange platform. Move remaining funds to a new wallet on a clean device. Unfortunately, blockchain transactions are irreversible.
