The Google Threat Intelligence Group (GTIG) is warning that imitation finance and cryptocurrency websites have used a “new and powerful” iOS exploit kit, dubbed Coruna by developers, that aims to lure iPhone users to sites that can silently deliver exploits. For cryptocurrency holders, the risks are blunt: GTIG analysis can be seen campaigns ultimately focused on collecting seed phrases and wallet data from popular mobile apps.
Coruna targets Apple devices running iOS 13.0 through iOS 17.2.1, combining five full exploit chains and 23 exploits. GTIG says it recovered the kit after tracking its evolution in 2025, from early utilize by a client of a commercial surveillance company, through watering hole attacks on compromised Ukrainian websites, to wide-scale distribution via Chinese-language scam sites linked to a financially motivated actor it tracks as UNC6691.
Crypto bait designed for iPhones
During the fraud wave, GTIG says it observed the JavaScript framework behind Coruna deployed on a “very large set” of imitation Chinese websites focused primarily on finance. One example cited by GTIG is a imitation WEEX-branded cryptocurrency exchange site that attempted to push visitors to an iOS device – after which a hidden iFrame was injected to deliver an exploit kit “regardless of their geolocation.”
The delivery mechanics matter because they blur the line between conventional phishing and direct device compromise: According to GTIG, the mere appearance of a vulnerable iPhone on a booby-trapped site was enough to start the chain. The framework fingerprints the device to identify the iOS model and version, then loads the appropriate WebKit remote code execution exploit and pointer authentication (PAC) bypass.
GTIG linked one recovered WebKit RCE to CVE-2024-23222, noting that Apple addressed this issue in iOS 17.3 on January 22, 2024.
GTIG says that at the end of the chain, Coruna is dropping a stager it calls PlasmaLoader (tracked as PLASMAGRID) and describes it as focusing less on classic surveillance functions and more on stealing financial information. According to GTIG, the payload can decode QR codes from images stored on the device and scan text blobs for BIP39 word sequences along with keywords such as “backup phrase” and “bank account”, including those in Apple Memos, which it can then exfiltrate.
The payload is also modular. GTIG claims it can download and execute additional modules remotely, and many of the identified modules are designed to hijack functions and extract sensitive information from popular cryptocurrency wallet applications – MetaMask, Trust Wallet, Uniswap wallet, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper, among others.
The broader problem was also noticed by mobile security company iVerify, which published its own findings around the same time as the GTIG report. “And the exact same thing happened here, but on mobile devices. Phone OEMs are doing their job as best as anyone can…”
What cryptocurrency users can do now
Google says Coruna is “not effective on the latest version of iOS” and encourages users to update. If updating is not possible, GTIG recommends enabling Apple Lock Mode. GTIG also says it has added the identified websites and domains to Google Safe Browsing to limit further exposure.
For users dealing in cryptocurrencies, the immediate conclusion is practical: mobile wallets sit at the intersection of high-value assets and high-frequency internet traffic, which makes “trade-off visits” campaigns extremely perilous. GTIG reports that the scam path wasn’t just about getting victims to link their wallets, but about transferring them to the right device running the right version of iOS so that the exploit could take care of the rest.
At press time, the total market capitalization of cryptocurrencies was $2.45 trillion.
Featured image created with DALL.E, chart from TradingView.com
