Google Warns ‘Coruna’ iOS Exploit Kit Can Hijack Unpatched iPhones to Steal MetaMask, Phantom, and Trust Wallet Crypto

Google's threat intelligence team says the attack can trigger just by visiting a compromised or fake site on an unpatched iPhone. If you are still sitting on iOS 17.2.1 or older, this is not theoretical. ^[2]

What Google says "Coruna" can do

Google's reporting describes Coruna as a modular iOS exploit kit recovered from a wide set of malicious infrastructure, including hundreds of fake financial and crypto exchange websites. One example cited was a spoofed site impersonating the WEEX exchange. ^[1]

Coruna's edge is automation. Instead of a bespoke, one off implant, this is a repeatable kit that can be deployed broadly, at scale, against normal users who think iPhones are "safe by default." The kit reportedly targets 18 crypto apps in total, with wallet brands like MetaMask, Phantom, Exodus, Trust Wallet, and Uniswap$3.076 explicitly in the blast radius.

Google's warning also highlights a clean defensive tell: iPhone Lockdown Mode stops the attack entirely, and the toolkit appears to detect Lockdown Mode and abort. That is a rare gift in mobile exploitation, a simple switch that hard blocks a high end chain.

The exploit window: iOS 17.2.1 and older

The uncomfortable part is timing. Google's assessment lines up the vulnerability window around iOS versions at or below 17.2.1, with Apple patching the "final" exploits in iOS 17.3, released January 2024. ^[1]

That means the risk is not just "old phones." It is any device that stayed behind on updates for compatibility, storage, or simple procrastination. Plenty of users still do, especially in regions where older handsets remain common.

From a risk perspective, treat this like a hard cutoff:

• On iOS 17.3+: the specific chain described is meant to be patched.
• On iOS 17.2.1 or older: assume exposure if you browse to the wrong place, even once.

How Coruna steals: hunt the seed, not the password

This also maps to how people actually behave:

• Users screenshot phrases, store them in Notes, or paste them into chat threads "temporarily."
• Some wallets and dapps train users to think in phrases and backups, which creates predictable keywords.
• If the kit is scanning broadly, it does not need to be perfect. It just needs to hit enough devices to pay.

Distribution: "zero click" feel, web delivery, fake exchanges

Google's write up emphasizes a low friction infection path: visiting a compromised or fake website can be enough on an unpatched device. That distribution model is brutal because it scales with normal user activity:

• searching for an exchange,
• clicking promoted links,
• landing on SEO poisoned pages,
• or hitting a local business site that got silently compromised.

The supply chain: from espionage to criminals

The most telling detail is not the technical chain, it is who used it and how it traveled.

Google ties Coruna's usage to multiple actor types over time:

• A suspected Russian espionage group reportedly used the toolkit in summer 2025 to target Ukrainian iPhone users, delivered through compromised local business websites.
• A China based financially motivated group later deployed it more broadly via scam sites, which is how Google says it was able to retrieve the full toolkit and name it Coruna.
• The kit is also described as having passed through the hands of a surveillance company at some point in its "journey."

That arc should worry anyone who equates iOS exploitation with rare, nation state only events. The pattern here is classic commoditization: elite capability appears in targeted ops first, then leaks, gets resold, or gets copied into criminal scale tooling.

Google also notes overlap with prior high profile iOS exploitation. Two Coruna exploits were previously used in Operation Triangulation, a 2023 iOS spying campaign uncovered by Kaspersky. Translation: once a chain works, it gets recycled. ^[3]

What this means for crypto markets and wallets

This is not a "price candle" catalyst, but it is a trust and flow story. When mobile wallets feel unsafe, users do three things:

1. Pull funds off hot wallets and reduce on chain activity.
2. Shift to hardware wallets or multisig, especially for long term holds.
3. Centralize temporarily, which can increase exchange balances and counterparty risk.

For wallet teams, the reputational risk is real even if the root cause sits in iOS. Users do not separate OS layer compromise from wallet compromise, they just see "my Phantom got drained." Expect more emphasis on in app warnings about seed storage, plus stronger nudges toward hardware signing for meaningful size.

How to not become exit liquidity: practical defenses

If you only do two things after reading this, do them now:

1. Update to iOS 17.3 or newer, ideally the latest available iOS version for your device.
2. Enable Lockdown Mode if your threat model is elevated (public facing, high net worth, politically exposed, or you travel often). Google indicates it blocks Coruna outright.

Additional steps that actually move the needle:

• Assume Notes and Messages are hostile storage. Delete seed phrases, backups, and screenshots. Do not "hide" them, remove them.
• Rotate wallets if a phrase ever touched your phone. Create a new seed offline, move funds, revoke approvals.
• Use hardware wallets for meaningful size. A compromised phone should not be able to sign away your cold funds.
• Bookmark real exchange and wallet URLs, avoid search ads and random links for anything that touches custody.

Watchlist takeaway

• If you are on iOS 17.2.1 or older: treat it as urgent, update immediately.
• If you used Notes, iMessage, or email drafts to store a seed: migrate funds to a fresh wallet.
• If you are a heavy mobile wallet user (MetaMask, Phantom, Trust Wallet, Exodus, Uniswap$3.076): reduce hot wallet balances, review approvals, and keep the phone patched.
• If you want a hard stop defense: Lockdown Mode is the cleanest on device mitigation Google calls out.