iPhone Crypto Wallets Under Siege: The Rise of the Coruna Exploit Kit

The age when iPhones were deemed impenetrable is fading fast—especially for mobile crypto traders. A newly emerged threat, dubbed the Coruna exploit kit, is exploiting 23 distinct iOS vulnerabilities to outmaneuver Apple’s robust security systems, leading to significant losses for crypto wallet users.

The Threat Unveiled

The insight from a recent Google TAG report reveals that the Coruna exploit kit operates far more insidiously than merely crashing applications or bombarding users with advertisements. It stealthily scans for BIP39 seed phrases, captures QR codes, and extracts private keys from devices that haven’t been updated. Unfortunately, by the time users detect that their browser has been compromised, their assets may already be irretrievably depleted.

A Bold New Era of Cybercrime
This alarming development indicates a significant shift in the dynamics of cybercrime. Historically, advanced exploit chains were the exclusive toolkit of government espionage agencies. The launch of Coruna indicates that tools previously reserved for state actors are now being utilized for widespread retail theft.

Financial Impact: A Booming Black Market

According to Chainalysis reports, the crypto theft market is estimated to be worth over $75 billion as of 2025, with wallet drainers being a considerable contributor to that figure. As user assets remain vulnerable to these new exploit kits, the stakes for individual traders have never been higher.

How Coruna Operates: A New Age of Attacks

The Coruna exploit kit executes a seemingly simple “one-click” attack activated upon a user’s visit to a compromised website. These sites often masquerade as gambling or news platforms.

The Mechanics Behind the Attack

1. Targeting WebKit Vulnerabilities: By attacking vulnerabilities in Apple’s WebKit, Coruna gains access to the device.
2. Privilege Escalation: Once the browser’s sandbox has been compromised, local privilege escalation exploits allow it to bypass restrictions.
3. Multi-Pronged Approach: An analysis of iOS versions from 13.0 to 17.2.1 shows Coruna utilizing diverse entry points. It’s engineered specifically to drain crypto wallets.

Coruna meticulously scans file systems for cryptocurrency-related strings and examines the photo library for QR codes. Furthermore, it seeks out mnemonic phrases stored in the Notes app, resulting in a swift, automated theft of assets. Any user who engages in crypto trading on their iPhone should maintain heightened awareness.

From Espionage to Everyday Crime

Traditionally, complex exploit chains were exclusive to high-stakes surveillance operations—targeting individuals like journalists or dissidents. With the emergence of Coruna, such potent tools have been democratized for cybercriminals interested in financial gain rather than political espionage.

This invocation of state-grade exploits dramatically lowers the barrier for would-be attackers. Using tools that were once the sole domain of government intelligence agencies, looting crypto wallets has become an option for even the least experienced tech hackers.

The Target Demographic

Individuals who engage in mobile trading and utilize self-custody wallets are prime targets. The attacks typically find their way into platforms frequented by crypto enthusiasts—be it unregulated gambling sites, dubious token claim pages, or unverified third-party app stores.

The malware specifically hunts for data directories associated with widely-known wallets, including MetaMask, BitKeep, and Trust Wallet. If user encryption is weak or passwords are accounted for in compromised keychains, wallet drainers can capitalize on these vulnerabilities with ease.

User Behavior and the Risks

Mobile traders are often preoccupied with speed due to the nature of decentralized applications (DApps), sometimes neglecting fundamental security practices. Coruna capitalizes on this complacency, rapidly siphoning assets without needing to coax users into signing malicious transactions.

For the time being, it’s prudent for users to exercise caution. Consider transferring your crypto funds to cold wallet storage systems, such as Ledger or Trezor, to enhance security.

Final Thoughts

The rise of the Coruna exploit kit has initiated a seismic shift in the cybersecurity landscape—especially for mobile users engaged in cryptocurrency trading. With financial criminals now leveraging sophisticated attack vectors once reserved for espionage, the prudent course of action is to heighten your awareness and reconsider your security measures.

Stay safe, and tread wisely in the evolving world of mobile crypto trading.