- Google TAG reports Coruna exploits 23 iOS vulnerabilities to steal crypto keys.
- Attack uses WebKit and local privilege escalation to escape the browser sandbox.
- IVerify observed the exploit on at least 42,000 devices.
- Campaign targets noncustodial wallet files, QR codes, and BIP39 seeds.
Google’s Threat Analysis Group has identified a sophisticated exploit kit, dubbed Coruna, designed to drain cryptocurrency directly from mobile wallets on iOS devices. The discovery carries weight beyond its technical complexity: researchers say tooling of this caliber has historically been used in nation-state espionage campaigns, not in criminal ones. Its repackaging into a commercially distributed kit marks a meaningful shift in the threat landscape for retail crypto users.
Coruna exploits 23 zero-day vulnerabilities in iOS, several of which are embedded in the WebKit browser engine, and operates across iOS versions 13.0 through 17.2.1. The attack requires just one interaction.
A victim visits a compromised site, typically dressed up as a gambling platform, a news outlet, or a token rewards page, and the chain fires automatically. The kit leverages WebKit flaws to achieve local privilege escalation, break out of the browser sandbox, and plant malware on the device with no visible indicator to the user.
The malware’s post-deployment behavior is methodical. It sweeps for cryptocurrency-related files, attempts to extract BIP39 mnemonic phrases from Notes and app databases, queries the photo library for QR codes that may contain wallet keys, and probes the file directories of installed wallet applications. Extraction typically completes long before any user-side anomaly is detectable.
Self-Custody Wallets Carry the Highest Exposure
Users holding crypto in non-custodial applications, such as MetaMask, Trust Wallet, and Bitget Wallet, are among the most commonly targeted and face the greatest risk. Google TAG researchers pointed to a persistent trust gap: many iPhone users assume iOS’s closed architecture provides meaningful protection against this class of attack.
Coruna is engineered around that assumption. It is particularly effective against users who store wallet credentials unencrypted on-device, and against active DeFi and DApp users whose devices maintain persistent connections to multiple external contracts and protocols.
Mobile security firm IVerify has separately confirmed that comparable drain techniques have been validated against at least 42,000 Android devices, indicating that the pressure on mobile wallet holders is not limited to iOS.
Apple has not yet issued patches covering all affected versions. Security researchers are urging mobile crypto holders to migrate their material balances to hardware wallets and avoid storing sensitive credentials, seed phrases, private keys, or wallet passwords on mobile devices.
READ MORE: Everstake, Midas & Apollo Launch Compliant Yield Token mEVUSD
