iPhone Users Warned: Crypto Scams Can Trigger ‘Coruna’ iOS Exploits
Google’s Threat Intelligence Group (GTIG) is warning that a “new and powerful” iOS exploit kit, dubbed Coruna by its developers has been deployed on fake finance and crypto websites designed to lure iPhone users into vis...
Archive context
Older archive item. Useful for background and entity history, but not a fresh market-moving signal.
Google’s Threat Intelligence Group (GTIG) is warning that a “new and powerful” iOS exploit kit, dubbed Coruna by its developers has been deployed on fake finance and crypto websites designed to lure iPhone users into visiting pages that can silently deliver exploits. For crypto holders, the risk is blunt: GTIG’s analysis shows the campaigns ultimately focused on harvesting seed phrases and wallet data from popular mobile apps.
Coruna targets Apple devices running iOS 13.0 through iOS 17.2.1, bundling five full exploit chains and 23 exploits. GTIG says it recovered the kit after tracking its evolution across 2025, from early use by a customer of a commercial surveillance company, to “watering hole” attacks on compromised Ukrainian websites, and finally to broad-scale distribution via Chinese-language scam sites tied to a financially motivated actor it tracks as UNC6691.
A Crypto Lure Designed For iPhonesIn the scam-wave phase, GTIG says it observed the JavaScript framework behind Coruna deployed across a “very large set” of fake Chinese websites largely themed around finance. One example cited by GTIG is a fake WEEX-branded crypto exchange page that tried to push visitors onto an iOS device—after which a hidden iFrame would be injected to deliver the exploit kit “regardless of their geolocation.”
The delivery mechanics matter because they blur the line between traditional phishing and outright device compromise: in GTIG’s telling, simply arriving on the booby-trapped page from a vulnerable iPhone was enough to begin the chain. The framework fingerprints the device to identify model and iOS version, then loads the appropriate WebKit remote code execution exploit and a pointer authentication (PAC) bypass.
GTIG tied one WebKit RCE it recovered to CVE-2024-23222, noting it was addressed by Apple in iOS 17.3 on Jan. 22, 2024.
At the end of the chain, GTIG says Coruna drops a stager it calls PlasmaLoader (tracked as PLASMAGRID) and describes it as focused less on classic surveillance features and more on stealing financial information. According to GTIG, the payload can decode QR codes from images stored on the device and scan text blobs for BIP39 word sequences, along with keywords such as “backup phrase” and “bank account”, including in Apple Memos, which it can then exfiltrate.
The payload is also modular. GTIG says it can pull down and run additional modules remotely, and that many of the identified modules are designed to hook functions and exfiltrate sensitive information from common crypto wallet apps—among them MetaMask, Trust Wallet, Uniswap’s wallet, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper.
The broader arc was also flagged by mobile security firm iVerify, which published its own findings around the same time as GTIG’s report. “And that’s exactly what happened again here, but on mobile devices. Phone OEMs do as good a job as anyone can do…”
What Crypto Users Can Do NowGoogle says Coruna “is not effective against the latest version of iOS,” and urges users to update. If updating isn’t possible, GTIG recommends enabling Apple’s Lockdown Mode. GTIG also says it added the identified websites and domains to Google Safe Browsing to help reduce further exposure.
For crypto-native users, the immediate takeaway is practical: mobile wallets sit at the intersection of high-value assets and high-frequency web traffic, which makes “visit-to-compromise” campaigns uniquely dangerous. GTIG’s reporting suggests the scam funnel wasn’t just about getting victims to connect wallets, it was about getting them onto the right device, on the right iOS version, so exploitation could do the rest.
At press time, the total crypto market cap stood at $2.45 trillion.
Why this matters
Uniswap is showing up inside the Security Incidents theme, so this story is worth tracking for follow-through rather than treating it as a one-off headline.
Original source
Read on NewsBTCRelated market context
Trust Wallet integrates Intercepta’s security technology for 220M users
The integration elevates security standards across the crypto wallet industry, but centralizes risk, posing potential systemic vul...
Xapo Bank Review: Premium Bitcoin Banking for Global USD Users
Xapo Bank is best for Bitcoin-first global members who want regulated USD banking, premium custody, and card/payments in one app r...
Tether freezes 134 ISIS terror wallets as stablecoins now sit inside the sanctions machine
ISIS-K, the Islamic State affiliate active across Afghanistan, Pakistan, and parts of Central Asia, had USDT balances frozen on 13...
Metamask Launches Money Account With up to 4% APY and Mastercard Spending Access
Metamask has launched Money Account, a self-custodial feature that lets users earn up to about 4% APY on mUSD while trading, sendi...
Tether Freezes Over 130 Tron Wallets Tied to Terror Group
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) updated its designation of ISIS-K on July 1 to add 134 cryptocurrency...
Tether Freezes USDT in 131 TRON Wallets Under Updated OFAC Sanctions
There is a reason this one is worth separating from the usual market noise. Tether Freezes USDT in 131 TRON Wallets Under Updated...