March 5 News: Google Threat Intelligence Group (GTIG) recently released a security report stating that researchers have discovered a new iPhone exploit toolkit called “Coruna,” used to steal cryptocurrency wallet mnemonics and financial information. The toolkit targets devices running iOS 13.0 to 17.2.1 and launches targeted attacks through multiple exploit chains, drawing significant attention in the mobile security field.
The report shows that “Coruna” contains five complete iOS exploit chains, involving a total of 23 security vulnerabilities, some of which have never been publicly disclosed before. Google researchers said they first identified related attack activity in February 2025 and found that the tool was initially suspected to be used by Russian espionage groups for cyberattacks against Ukrainian users. It was later used to impersonate financial and crypto-related websites to trick users into revealing information.
The attack mainly relies on malicious web pages delivering exploit code. When iPhone users visit specific sites, JavaScript frameworks on the pages perform device fingerprinting, verify the system version, and then load the corresponding exploit chain. Researchers found the same framework on multiple compromised Ukrainian websites and noted that the attack code was only sent to iPhones in certain regions.
In December 2025, the team further detected the same framework on numerous fake Chinese-language websites related to financial services, including counterfeit crypto platform pages. Once victims access these sites on iOS devices, the tools scan for sensitive information such as mnemonic phrases, backup words, or bank account details, and attempt to read data from common crypto wallet apps to gain control of digital assets.
Google states that this exploit toolkit currently cannot run on the latest iOS versions, and recommends iPhone users upgrade their systems promptly. If upgrading is not possible, users can enable Apple’s “Lockdown Mode” to defend against complex network attacks.
Meanwhile, discussions about the origin of “Coruna” have also sparked controversy. Rocky Cole, co-founder of mobile security firm iVerify, told media that the tool is highly complex, with development costs possibly reaching millions of dollars, and shares some modules similar to those used in U.S. government cyber tools. However, Kaspersky security experts said there is currently not enough evidence to directly link its code to any known tools.
Security experts warn that cryptocurrency users should be vigilant against phishing pages and update their devices promptly when using mobile wallets or visiting related websites to reduce the risk of mnemonic leaks and digital asset theft.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
CoW Swap Issues Security Alert After Frontend Attack Detected by Blockaid
Blockaid has identified a frontend attack on CoW Swap, marking its domain as malicious. Users are advised to cease interactions, revoke wallet authorizations, and await further updates from the CoW Swap team.
GateNews3h ago
The Ethereum Foundation uses it too! The CoW Swap frontend was hacked, and DeFi leaders advise revoking approvals
The Ethereum DeFi platform CoW Swap experienced DNS hijacking on April 14, which may put users at risk of phishing. Although the protocol itself was not compromised, the risk of frontend attacks remains high. The industry recommends that users revoke approvals before taking any future actions. CoW Swap offers batch transaction functionality and protects against MEV attacks, and its security incident may affect the entire DeFi ecosystem.
ChainNewsAbmedia3h ago
Cowswap Frontend Under Attack, Users Urged to Revoke Permissions
Blockaid's security system detected a frontend attack on Cowswap, flagging the website COW.FI as malicious. Users are urged to revoke wallet permissions and refrain from interacting with the DApp.
GateNews6h ago
Polymarket reviews and weeds out early-stage projects in its ecosystem, targeting insider trading and market manipulation behaviors
Polymarket announced an audit of some of the onboarded startup projects that have been accused of using allegedly insider trading account information to steer users into making trades. The move is intended to strengthen compliance management and address external concerns about the risks of insider trading.
GateNews9h ago
In Q1 2026, Web3 projects suffered losses of over $460 million from hacks and scams, with phishing attacks leading the way.
Hacken’s report shows that in the first quarter of 2026, Web3 projects lost $464.5 million due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million in losses. In addition, hardware wallet scams accounted for the bulk of the losses. Moreover, losses were also significant due to smart contract vulnerabilities and access control failures. In terms of regulation, the European legal framework has increased security monitoring requirements.
GateNews13h ago
RAVE’s hype surge triggers a flood of copycat coin mania, as FF and INX expose the “pump-and-dump” scheme
Recently, altcoins represented by RAVE have sparked a fierce investment craze, but some old star projects like FF and INX have used this wave of hype to carry out “pump-and-dump” operations—rapidly driving up coin prices to lure retail investors to buy, and then dumping them heavily, causing the price to plunge rapidly. Such behavior not only exposes the project team’s funding difficulties, but also damages investors’ trust. Investors need to stay alert to signals like abnormal short-term surges in order to avoid the risk of being manipulated by the market.
MarketWhisper16h ago
