A suite of government hacking tools targeting iPhones is now being used by cybercriminals

Security researchers have identified a suite of powerful hacking tools capable of compromising iPhones running older software that they say has passed from a government customer into the hands of cybercriminals.

Google said Tuesday that it first identified the exploit kit, dubbed Coruna, in February 2025 during a surveillance vendor’s attempt to hack into someone’s phone with spyware on behalf of a government customer. It found the same exploit kit months later targeting Ukrainian users in a broad-scale campaign by a Russian espionage group, and then later found it used by a financially motivated hacker in China.

It’s unclear how the tools leaked or proliferated, but Google security researchers warned of an emerging market for “secondhand” exploits, which are sold to hackers motivated by money to extract more value out of the exploit.

The discovery also shows how exploits and back doors designed to be used by governments can leak and ultimately be abused by cybercriminals or other non-state actors. Mobile security company iVerify obtained and reverse-engineered the hacking tools, saying in a blog post that it linked the Coruna exploit kit to the U.S. government, based on similarities to hacking tools previously attributed to the United States.

“The more widespread the use, the more certain a leak will occur,” said iVerify. “While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Google said the hacking tools are powerful, as they can bypass an iPhone’s defenses simply through visiting a malicious website containing the exploit code — such as being sent a malicious link — in what is known as a “watering hole” attack. According to Google, the Coruna kit can hack into an iPhone five separate ways by relying on and chaining together 23 separate vulnerabilities in its digital arsenal. Affected devices range from iPhone models running iOS 13 up to 17.2.1, which released in December 2023.

According to Wired, which first reported the news, the Coruna kit contains components that were previously used in a hacking campaign dubbed Operation Triangulation. Russian cybersecurity firm Kaspersky claimed in 2023 that the U.S. government tried to hack several iPhones belonging to its employees.

While leaks of hacking tools are rare, they are not unheard of. In 2017, the U.S. National Security Agency discovered that tools it had developed to hack into Windows computers worldwide had been stolen. The Windows back door, known as EternalBlue, was later published and was used by cybercriminals in subsequent attacks, including the 2017 WannaCry ransomware attack by North Korea.

TechCrunch also recently reported on the case of Peter Williams, the former head of the U.S. defense contractor L3Harris Trenchant, who was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to a broker known to work with the Russian government.

According to prosecutors, Williams sold exploits that were capable of hacking into “millions of computers and devices” worldwide. At least one exploit was sold onto a South Korean broker. It’s unclear if the exploits were ever disclosed to the software makers, or patched.