Security researchers have discovered that a sophisticated suite of iPhone hacking tools originally designed for government surveillance operations has escaped into the wild and is now being actively used by cybercriminal groups across multiple countries. The exploit kit, known as “Coruna,” was first identified in 2025 during an attempted government-linked spyware operation but has since appeared in attacks attributed to Russian espionage groups and financially motivated hackers in China. Investigators say the toolkit uses chains of vulnerabilities—more than twenty separate flaws in some cases—to bypass Apple‘s security defenses, often through so-called “watering hole” attacks in which a victim’s phone is compromised simply by visiting a malicious website. Analysts believe the technology likely originated within a U.S. government-associated framework before proliferating through espionage networks and eventually reaching criminal markets. Security experts warn that the episode highlights a recurring pattern: powerful cyber weapons developed by governments often leak or are repurposed, ultimately turning into tools for mass cybercrime against ordinary users, businesses, and political targets. The situation echoes past incidents such as the infamous EternalBlue exploit, demonstrating once again that once digital weapons escape controlled environments, they rarely remain confined to their intended operators.
Sources
https://www.nextgov.com/cybersecurity/2026/03/potential-us-built-hacking-tools-obtained-foreign-spies-and-cybercriminals-research-says
https://www.scworld.com/brief/coruna-exploit-kit-government-hacking-tools-surface-in-cybercriminal-hands
Key Takeaways
- Government-developed cyber tools can leak or be repurposed, eventually spreading into criminal markets and dramatically expanding their impact.
- The Coruna exploit kit chains together dozens of iPhone vulnerabilities, allowing attackers to compromise devices through malicious websites and potentially steal sensitive financial or personal data.
- The situation resembles past cyberweapon leaks, reinforcing concerns that digital espionage capabilities often migrate from state actors to criminal networks over time.
In-Depth
The discovery of the Coruna exploit kit represents the latest reminder that in the digital age, government cyber capabilities rarely remain confined to their intended mission. According to multiple cybersecurity research groups, the toolkit was originally observed in 2025 during a surveillance operation linked to a government customer of a spyware vendor. Over the following months, investigators began to notice the same code appearing in very different contexts—first in a suspected Russian intelligence campaign targeting individuals in Ukraine and later in financially motivated attacks originating from Chinese cybercriminal infrastructure.
At its core, Coruna is a complex exploit framework designed to break into Apple’s iPhone ecosystem. Unlike the simplistic malware typically associated with consumer scams, this toolkit strings together dozens of vulnerabilities in Apple’s mobile operating system. In some cases, researchers say it relies on more than twenty individual flaws to bypass security protections. The result is an attack chain capable of silently installing spyware on a device if a victim merely visits a compromised webpage or clicks a malicious link embedded in a message.
What makes the situation particularly troubling is the apparent origin of the technology. Security analysts who reverse-engineered the code say it bears strong similarities to previously identified government-grade cyber frameworks, leading some experts to believe the exploit kit may have originated from a U.S. government development environment or contractor network. While officials have not publicly confirmed the attribution, researchers note the code’s sophistication and structure resemble tools associated with Western intelligence agencies.
Once these types of tools leave controlled environments, they often follow a predictable path. Initially developed for intelligence gathering or national security investigations, they are shared among government partners or contractors. From there, leaks, theft, or resale can push them into broader circulation among espionage groups and eventually into criminal marketplaces. In the case of Coruna, investigators believe that the technology may have been sold or redistributed through a shadowy secondary market for so-called “zero-day” exploits—previously unknown software vulnerabilities that can command enormous prices among hackers.
The pattern has precedent. Nearly a decade ago, a collection of hacking tools developed by the National Security Agency leaked online and was later used in global ransomware attacks such as WannaCry and NotPetya. Those incidents caused billions of dollars in economic damage and demonstrated how rapidly sophisticated cyberweapons can move from government arsenals to the broader criminal ecosystem.
Researchers warn that the Coruna toolkit could represent a similar turning point for mobile security. Although Apple has patched many of the vulnerabilities used in the exploit chain, older devices and phones running outdated versions of iOS remain vulnerable. In some campaigns already observed by analysts, the malware deployed through Coruna has been designed to harvest financial credentials and cryptocurrency wallet information—an indication that organized cybercriminal groups are adapting the technology for profit rather than espionage.
For policymakers and technology companies alike, the episode raises uncomfortable questions about the long-term consequences of developing offensive cyber capabilities. Governments often argue that such tools are necessary for intelligence and law-enforcement operations, yet history shows that digital weapons are uniquely difficult to contain. Once code is copied, leaked, or sold, it can propagate indefinitely across networks and borders.
From a broader perspective, the Coruna incident underscores the growing convergence between state-level cyberwarfare and everyday cybercrime. Techniques once reserved for intelligence agencies are increasingly appearing in criminal operations targeting ordinary users, businesses, and financial systems. In an era where smartphones serve as digital vaults for personal and financial data, that convergence represents a significant security challenge—and one that is unlikely to disappear anytime soon.