Google security researchers have confirmed the existence of a sophisticated iPhone exploit kit named Coruna, designed to steal cryptocurrency wallet data from vulnerable iOS devices. This toolkit chains together 23 distinct iOS vulnerabilities across five separate exploit chains to bypass Apple’s security protections on devices running iOS versions 13 through 17.2.1. Attackers embed Coruna within fraudulent exchanges, gambling platforms, and other finance or cryptocurrency themed websites. When a vulnerable iPhone visits one of these compromised pages, JavaScript silently fingerprints the device and triggers a WebKit exploit that escapes the browser sandbox to gain elevated system privileges. Once the payload is installed, it systematically scans the device’s file system, photos, and notes for BIP39 seed phrases, QR codes, and keywords such as “backup phrase.” The malware can also exfiltrate data directly from popular wallet applications, enabling attackers to drain funds remotely without triggering any on-device transaction prompts or user confirmations.
The devices most at risk are iPhones operating on iOS versions between 13.0 and 17.2.1, which includes many devices from 2019 onward that have not been updated to iOS 17.3 or later. Security researchers have identified mobile wallets such as MetaMask, Bitget Wallet, Phantom, Trust Wallet, Exodus, and TON wallets as primary targets because Coruna actively searches for their application data alongside any seed phrases or QR codes saved elsewhere on the device. This exploit operates on a “visit to compromise” model, meaning that merely loading a malicious webpage from a vulnerable iPhone can be sufficient for infection. Users do not need to sign a suspicious transaction or download an attachment for their private keys to be stolen, making this threat particularly insidious for those who browse crypto related content on their phones.
Apple has patched the primary WebKit vulnerability leveraged by Coruna in iOS 17.3 and subsequent releases, and researchers confirm the toolkit fails against fully updated devices. High level protections that materially reduce risk include maintaining iOS at the latest available version, enabling Lockdown Mode on devices that cannot be updated immediately, avoiding untrusted cryptocurrency or gambling links, and never storing seed phrases or private keys in notes, screenshots, or cloud backups tied to the phone. Hardware wallets that keep cryptographic keys entirely off the mobile device remain significantly more resistant to this category of exploit. For anyone using an iPhone as a primary interface for cryptocurrency management, software hygiene and disciplined key storage practices are as critical as the choice of wallet application itself.
Coruna demonstrates that iPhones can no longer be considered a secure default for hosting hot wallets when running outdated software or visiting high risk crypto sites. The exploit precisely targets the assets thieves value most in the cryptocurrency ecosystem: seed phrases and wallet data. It accomplishes this silently once a vulnerable device accesses a malicious page. Keeping iOS current, hardening browsing habits, and moving critical cryptographic keys off the phone substantially reduce the likelihood that this type of mobile exploit results in a complete loss of funds. As the threat landscape evolves, proactive security measures remain the most effective defense for preserving digital asset safety on mobile platforms.
