Google’s Threat Intelligence Group (GTIG) disclosed an iOS exploit framework called Coruna that has been used to steal cryptocurrency wallet seed phrases and other financial data, in a report published in March 2026. The alert lands as another reminder that mobile endpoints have become a prime target for crypto theft, especially when wallets and DeFi apps are used on the same device that handles everyday browsing.
What makes Coruna especially disruptive is that it can compromise a vulnerable iPhone with no user interaction when the device visits a malicious or compromised website. GTIG said the toolkit bundles 23 separate vulnerabilities across five exploit chains, affecting iOS versions 13.0 through 17.2.1, and once deployed it searches device content for wallet recovery material and other credentials.
How Coruna turns a website visit into a wallet drain
GTIG described a workflow where Coruna fingerprints devices and then delivers tailored exploit chains via malicious web pages. The core operational risk is that a normal browsing session can become an automatic compromise event if the iPhone is on a vulnerable version. After exploitation, Coruna scans text content for keywords such as “backup phrase” and attempts to extract seed phrases and credentials used by popular wallet and DeFi applications.
In GTIG’s account, Coruna isn’t a single bug—it’s a modular framework built from multiple vulnerabilities that can be chained for reliable access. That design raises the threat level for crypto users because the toolkit isn’t just looking for generic financial data; it’s explicitly hunting the material that can unlock irreversible asset transfers.
GTIG’s reporting also shows how advanced tooling can spread beyond its original purpose. Early activity was observed in watering-hole attacks attributed to a suspected espionage group identified as UNC6353 targeting Ukrainian users, and later the same framework was used by financially motivated operators identified as UNC6691. In that latter phase, GTIG said the toolkit was deployed through hundreds of fraudulent Chinese-language crypto and finance websites, and researchers observed at least one operation compromising an estimated 42,000 devices.
What crypto teams should change immediately
GTIG’s most practical takeaway is straightforward: fully updated iOS devices are the cleanest defense because Apple has patched the relevant vulnerabilities in newer releases. Where updating isn’t feasible right away, GTIG recommended enabling Apple’s Lockdown Mode to reduce the exploit’s ability to operate, and tightening browsing hygiene around unsolicited or unfamiliar crypto and finance sites.
For custodians and product teams, the larger issue is control design. Any workflow that relies on a single mobile device for key custody or high-value transaction signing is now a concentration risk, particularly when exploit kits can be repurposed from espionage into mass-scale theft. The sensible posture is layered custody and accelerated patching discipline, so one compromised endpoint doesn’t become a total-loss event.
iVerify described Coruna as “government-grade,” underscoring the sophistication and likely development cost, even though GTIG’s report does not settle final attribution. The bigger trend is that high-end exploit capability is increasingly bleeding into profit-driven fraud, and firms handling on-chain assets should assume more of these toolchains will circulate once they prove financially effective.