Politics

A US government iPhone hacking tool has gone feral — and 42,000 devices are already infected

A sophisticated iPhone hacking toolkit called Coruna — likely developed by US government contractors — has proliferated from American intelligence through Russian espionage operations to cybercriminals, infecting an estimated 42,000 devices and exposing the structural contradictions of government-funded offensive cyber capabilities.

The trajectory of a piece of software called Coruna tells a story that Western governments would prefer remained invisible: a sophisticated iPhone hacking toolkit, almost certainly developed by US government contractors, has traveled from American intelligence agencies through Russian espionage operations targeting Ukrainians to cybercriminal groups draining cryptocurrency wallets from Chinese-speaking users.

The toolkit’s journey — from controlled government asset to uncontrolled weapon available to the highest bidder — represents the structural consequences of an offensive cyber capability industry that governments have quietly nurtured for two decades while publicly championing digital security.

iPhone surveillance hacking toolkit — Photo by Tima Miroshnichenko on Pexels

What Coruna is and where it came from

Google security researchers released a report detailing Coruna as a highly sophisticated iPhone hacking toolkit that reportedly exploits multiple distinct vulnerabilities in iOS and includes several complete attack chains capable of bypassing iPhone security defenses. The toolkit can silently install malware when users simply visit compromised websites — no clicks, no downloads, no user interaction required.

Security researchers have traced what Wired reported as a three-stage proliferation pattern. Google first traced components of Coruna to hacking techniques spotted in an espionage campaign and attributed to a “customer of a surveillance company.” Months later, a more complete version surfaced in an espionage campaign by a suspected Russian spy group, embedded in visitor-counting components of Ukrainian websites. Most recently, the toolkit appeared in a profit-focused campaign infecting Chinese-language crypto and gambling sites to steal cryptocurrency.

The code contains multiple components previously used in Operation Triangulation — a mobile malware campaign discovered targeting Russian cybersecurity firm Kaspersky, which the Russian government attributed to the NSA. According to security experts, the code appears to have been originally written by English-speaking developers and cost millions of dollars to create.

Security researchers have described this as the first example of what appears to be US government tools spinning out of control and being used by both adversaries and cybercriminal groups.

The exploit broker pipeline

Coruna did not escape through a single security breach. It proliferated through the structural incentives of an industry that governments themselves created: the zero-day exploit market.

The pattern is well-established. Governments fund private contractors to develop offensive hacking capabilities. Those contractors employ engineers who understand the tools intimately. And a parallel market of exploit brokers — some operating legally, others in grey zones — creates financial incentives for those tools to move beyond their original customers.

This month provided a concrete illustration of that pipeline. Peter Williams, a former executive at US government contractor Trenchant, was sentenced to seven years in federal prison for selling hacking tools to Operation Zero, a Russian zero-day broker, between 2022 and 2025. Trenchant itself sold hacking tools to US intelligence agencies and Five Eyes governments. The US Treasury Department simultaneously sanctioned the owner of Operation Zero and several associates.

Williams’s case illustrates the fundamental tension in offensive cyber operations: the same institutional structures that produce these tools also create the conditions for their proliferation. A contractor that builds exploits for the NSA employs people who can sell those exploits to Moscow. The knowledge doesn’t stay within borders because the market for it is global and lucrative. This is not a bug in the system — it is the system operating according to its structural incentives.

The scale of exposure

Security researchers estimate that tens of thousands of devices were infected in the cybercriminal campaign alone, based on analysis of command-and-control server traffic. That figure captures only the criminal deployment; infections from the Russian espionage campaign targeting Ukrainian websites remain unquantified.

Apple has reportedly patched vulnerabilities exploited by Coruna in recent iOS updates, but exploitation techniques may remain effective against older iOS versions. Users who have not updated their devices — or who cannot, because their hardware no longer supports the latest operating system — may remain exposed. Safari users who have not enabled Lockdown Mode are particularly vulnerable.

Security experts have characterized this as a significant moment for mobile malware, drawing comparisons to the NSA’s EternalBlue exploit, which leaked and was subsequently used in the WannaCry ransomware attack that crippled hospitals, shipping companies, and government agencies globally. The implication: Coruna’s complete attack chains, now in the wild, will be adapted, modified, and redeployed by any well-resourced attacker who can access them.

cybersecurity zero day exploit — Photo by Tima Miroshnichenko on Pexels

The structural problem governments won’t address

The Coruna case exposes a policy contradiction that Western governments have managed to avoid confronting for years. The United States simultaneously positions itself as an advocate for global cybersecurity — funding defensive research, warning allies about threats, sanctioning foreign hacking operations — while maintaining the world’s most sophisticated offensive cyber capability apparatus and the contractor ecosystem that supports it.

This is not a new dynamic. The global surveillance industry has long operated on the principle that tools built for “legitimate” government use will remain under control. NSO Group’s Pegasus spyware was sold to governments worldwide under similar assurances — and was subsequently found targeting journalists, human rights activists, and opposition politicians across multiple countries.

What Coruna demonstrates is that the problem has evolved beyond individual companies or rogue employees. The exploit market itself has matured into a global industry with its own supply chains, brokers, and distribution networks. A tool developed by an American contractor for American intelligence can move to a Russian broker, be deployed against Ukrainian civilians, and then be repurposed by cybercriminals targeting users in China — all within months.

The sentencing of Peter Williams may serve as a deterrent in individual cases, but it does nothing to address the structural incentive: as long as governments pay millions for offensive exploits, there will be a secondary market for those exploits. The same profit structures that drive internet shutdowns and surveillance infrastructure sales operate here. The product is control over digital systems, and the buyers are anyone who can pay.

What comes next

For everyday iPhone users, the immediate guidance is straightforward: update to the latest iOS version and enable Lockdown Mode if you have reason to believe you may be targeted. For the broader technology ecosystem, the implications are more uncomfortable.

The Coruna toolkit’s complete attack chains represent years of research and development — the kind of investment only government budgets or government-adjacent contracts typically support. Now that these techniques are documented and circulating, they lower the barrier for future attackers. Security researchers will study them. So will offensive hackers. The asymmetry that once favored state actors — access to billions in R&D funding — narrows every time a toolkit like this enters the wild.

Security experts describe the situation as irreversible. The question policymakers will need to answer — and so far have not — is whether the intelligence value of maintaining offensive cyber capabilities justifies the inevitable cost when those capabilities proliferate. Every dollar spent developing a zero-day exploit is simultaneously an investment in a future vulnerability that will, given enough time and enough brokers, affect the very populations governments claim to protect.

The Coruna timeline — American contractors to Russian spies to Chinese-targeting criminals — is the global exploit market operating exactly as its structural incentives predict. The surprise is not that it happened. The surprise is that anyone expected otherwise.

Feature image by David McElwee on Pexels

Written by

Justin Brown

Justin Brown is Silicon Canals' Chief Publisher. He holds a Master of Science in Global Economic History from the London School of Economics (Erasmus Mundus Joint Master in Global Studies) and a Master of Arts in International Relations from the Australian National University, where he was awarded the Hedley Bull Scholarship and graduated with First Class Honours. His writing focuses on power structures, institutional incentives, and the gap between corporate narrative and corporate behaviour — applied across regulation, capital flows, surveillance, and the politics of innovation. He co-founded Brown Brothers Media, the parent company that publishes Silicon Canals, and is based in Singapore. As Chief Publisher, Justin carries editorial responsibility for everything that ships on Silicon Canals. He reviews columns and writers' work before publication and stands behind the standards on this site.