Google detects iOS exploits targeting crypto wallet seed phrases

Traders Union
All News
Crypto News
Google flags iPhone exploit

Coruna exploit and fake crypto websites

According to a report by Google Threat Intelligence Group (GTIG), Coruna contains five full exploit chains for iOS vulnerabilities and a total of 23 exploits. Some of them had not previously been known to cybersecurity researchers.

The toolkit was first discovered in February 2025. Attackers used JavaScript code that identified the device model and iOS version before delivering the appropriate exploit to the victim.

The same mechanism was later found on compromised Ukrainian websites. The malicious code was displayed only to iPhone users from specific regions. In December, GTIG researchers detected the same scheme on a large number of fake Chinese websites linked to financial services. One of them mimicked the interface of the cryptocurrency exchange WEEX.

After a user loads the page, the system checks the device and attempts to locate financial information. In particular, it scans texts containing seed phrases and keywords such as “backup phrase” or “bank account.” The exploit also searches for installed crypto applications, including MetaMask and Uniswap, to obtain sensitive data.

GTIG notes that the exploit toolkit does not work on the latest versions of iOS. iPhone users are advised to update their devices to the latest system version or enable Lockdown Mode, which is designed to protect against sophisticated attacks.

Debate over the tool’s origins

The origin of Coruna has become a topic of discussion among cybersecurity experts. Google did not disclose the client behind the development, but specialists at the security firm iVerify believe the tool could be linked to government entities.

iVerify co-founder Rocky Cole told WIRED:

“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government.”

According to him, such tools may have ended up in the hands of other groups:

“This is the first example we’ve seen of very likely US government tools — based on what the code is telling us — spinning out of control and being used by both our adversaries and cybercriminal groups.”

However, not all experts agree with that assessment. A principal security researcher at Kaspersky told The Register that the company had found no convincing evidence of code reuse that would link Coruna to developers working for government agencies.

Why this matters for crypto users

The Coruna case highlights how mobile devices remain a key attack vector for criminals targeting crypto assets. The primary objective of such attacks is seed phrases, which allow attackers to restore wallet access and transfer funds without the possibility of reversing the transaction.

According to blockchain security firm CertiK, phishing and key theft remain among the most common threats facing crypto investors. In 2025 alone, such attacks led to losses of about $722 million.

These attacks typically combine several techniques at once, including exploiting operating system vulnerabilities, using fake websites, and scanning installed applications. As a result, regular software updates and additional protections such as Lockdown Mode remain some of the most effective security measures for cryptocurrency users.

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.