iPhone Users Warned: Crypto Scams Can Trigger ‘Coruna’ iOS Exploits
Analysis
Price Impact
MedThis news highlights a sophisticated ios exploit kit targeting crypto users, which could lead to significant losses for affected individuals. while the exploit kit itself doesn't directly impact the price of major cryptocurrencies, it could erode user confidence in mobile crypto security, potentially leading to a short-term bearish sentiment as users become more cautious.
Trustworthiness
HighThe information comes from google's threat intelligence group (gtig), a reputable source for cybersecurity threats, and is corroborated by mobile security firm iverify. the detailed technical analysis and tracking of the exploit's evolution lend high credibility to the report.
Price Direction
BearishThe news of a powerful ios exploit kit specifically targeting crypto users, designed to steal seed phrases and wallet data, is likely to cause fear and uncertainty in the market. this could lead to a short-term sell-off as users, particularly those holding significant assets on mobile devices, become risk-averse. however, the impact might be limited to user sentiment rather than fundamental price drivers of major cryptocurrencies if the exploit is patched quickly and users update their devices.
Time Effect
ShortThe immediate impact is likely to be felt in the short term as news spreads and users react by securing their assets. if apple quickly addresses the vulnerabilities and google's safe browsing effectively blocks the scam sites, the negative sentiment may subside relatively quickly. the long-term impact depends on the ongoing cat-and-mouse game between exploit developers and security researchers.
Original Article:
Article Content:
Reason to trust Strict editorial policy that focuses on accuracy, relevance, and impartiality Created by industry experts and meticulously reviewed The highest standards in reporting and publishing How Our News is Made Strict editorial policy that focuses on accuracy, relevance, and impartiality Ad discliamer Morbi pretium leo et nisl aliquam mollis. Quisque arcu lorem, ultricies quis pellentesque nec, ullamcorper eu odio. Google’s Threat Intelligence Group (GTIG) is warning that a “new and powerful” iOS exploit kit, dubbed Coruna by its developers has been deployed on fake finance and crypto websites designed to lure iPhone users into visiting pages that can silently deliver exploits. For crypto holders, the risk is blunt: GTIG’s analysis shows the campaigns ultimately focused on harvesting seed phrases and wallet data from popular mobile apps. Coruna targets Apple devices running iOS 13.0 through iOS 17.2.1, bundling five full exploit chains and 23 exploits. GTIG says it recovered the kit after tracking its evolution across 2025, from early use by a customer of a commercial surveillance company, to “watering hole” attacks on compromised Ukrainian websites, and finally to broad-scale distribution via Chinese-language scam sites tied to a financially motivated actor it tracks as UNC6691. A Crypto Lure Designed For iPhones In the scam-wave phase, GTIG says it observed the JavaScript framework behind Coruna deployed across a “very large set” of fake Chinese websites largely themed around finance. One example cited by GTIG is a fake WEEX-branded crypto exchange page that tried to push visitors onto an iOS device—after which a hidden iFrame would be injected to deliver the exploit kit “regardless of their geolocation.” Related Reading CFTC Chair Says Crypto Perps Approval Is Close — Why This Is Huge For Hyperliquid? 1 day ago The delivery mechanics matter because they blur the line between traditional phishing and outright device compromise: in GTIG’s telling, simply arriving on the booby-trapped page from a vulnerable iPhone was enough to begin the chain. The framework fingerprints the device to identify model and iOS version, then loads the appropriate WebKit remote code execution exploit and a pointer authentication (PAC) bypass. GTIG tied one WebKit RCE it recovered to CVE-2024-23222, noting it was addressed by Apple in iOS 17.3 on Jan. 22, 2024. At the end of the chain, GTIG says Coruna drops a stager it calls PlasmaLoader (tracked as PLASMAGRID) and describes it as focused less on classic surveillance features and more on stealing financial information. According to GTIG, the payload can decode QR codes from images stored on the device and scan text blobs for BIP39 word sequences, along with keywords such as “backup phrase” and “bank account”, including in Apple Memos, which it can then exfiltrate. Related Reading Crypto’s Quietest Month In Nearly A Year — But Hackers Haven’t Gone Away 3 days ago The payload is also modular. GTIG says it can pull down and run additional modules remotely, and that many of the identified modules are designed to hook functions and exfiltrate sensitive information from common crypto wallet apps—among them MetaMask , Trust Wallet, Uniswap’s wallet, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper. The broader arc was also flagged by mobile security firm iVerify, which published its own findings around the same time as GTIG’s report. “And that’s exactly what happened again here, but on mobile devices. Phone OEMs do as good a job as anyone can do…” What Crypto Users Can Do Now Google says Coruna “is not effective against the latest version of iOS,” and urges users to update. If updating isn’t possible, GTIG recommends enabling Apple’s Lockdown Mode. GTIG also says it added the identified websites and domains to Google Safe Browsing to help reduce further exposure. For crypto-native users, the immediate takeaway is practical: mobile wallets sit at the intersection of high-value assets and high-frequency web traffic, which makes “visit-to-compromise” campaigns uniquely dangerous. GTIG’s reporting suggests the scam funnel wasn’t just about getting victims to connect wallets, it was about getting them onto the right device, on the right iOS version, so exploitation could do the rest. At press time, the total crypto market cap stood at $2.45 trillion. Total crypto market cap faces the 0.786 Fib, 1-week chart | Source: TOTAL on TradingView.com Featured image created with DALL.E, chart from TradingView.com