A set of advanced hacking tools once used for government surveillance is now being used by cybercriminals to attack Apple iPhones. This shift has raised new concerns among cybersecurity experts and policymakers.
Security researchers have found that the exploit toolkit, called Coruna, is being used in several hacking campaigns against iPhones with outdated software. TechCrunch reports that these exploits, once used by governments, are now in the hands of criminals.
The discovery highlights a growing risk in cybersecurity: tools designed for state intelligence operations can eventually leak and become weapons for cybercrime.
From Government Surveillance Tool to Criminal Weapon
The Coruna toolkit was first detected by Google’s security researchers during an investigation in February 2025, when a surveillance vendor attempted to use spyware to compromise a target’s iPhone on behalf of a government customer.
Researchers later observed the same exploit kit appearing in multiple campaigns. According to TechCrunch, the tools were subsequently used by a Russian espionage group targeting Ukrainian users and later by a financially motivated hacker targeting victims through Chinese-language websites.
The spread of this toolkit shows how cyber-espionage tools can turn into criminal resources once they leave their original setting.
Cybersecurity firm iVerify, which obtained and analyzed the exploit kit, said its analysis suggests the toolkit may have links to U.S. government hacking tools. The company noted similarities between Coruna and techniques associated with a past iPhone hacking campaign known as Operation Triangulation, which researchers have previously connected to U.S. intelligence operations.
Exploiting Multiple iPhone Vulnerabilities
The Coruna toolkit is especially worrying because it takes advantage of so many vulnerabilities.
Google’s investigation found that the exploit chain includes 23 different vulnerabilities. This lets attackers break into iPhones in several ways.
In some cases, victims could be infected simply by visiting a malicious webpage in what cybersecurity experts call a “watering hole” attack, where hackers compromise a website that a specific group of targets is likely to visit.
This kind of attack lets hackers use custom code that can get past many of Apple’s security protections.
Wired reported that the toolkit represents a highly sophisticated set of iPhone hijacking techniques that may have infected tens of thousands of devices worldwide.
Because the exploit chain is so advanced, experts think these tools were first made by a well-funded group, probably a government or state contractor.
A Growing Market for “Secondhand” Exploits
The use of Coruna in cybercrime shows what researchers call a growing underground market for reused government hacking tools.
Google’s security researchers say this case points to a new trend. Vulnerabilities made for intelligence agencies are now being resold or reused by criminals looking to make money.
Security analysts warn that this could happen more often as governments and contractors keep collecting digital exploits.
The situation mirrors earlier incidents in which advanced cyber weapons leaked into the criminal world. One prominent example occurred in 2017, when hacking tools developed by the U.S. National Security Agency were stolen and later used in global attacks such as the WannaCry ransomware outbreak.
Concerns Over Security and Accountability
Cybersecurity experts say the Coruna case points to a bigger problem with offensive cyber tools.
These tools are often made for intelligence or national security, but they create long-term risks if leaked or stolen. Once out, the same methods can be used by criminals, rival governments, or spies.
Researchers from iVerify warned that the wider adoption of such tools increases the likelihood of leaks, noting that “the more widespread the use, the more certain a leak will occur.”
The firm stressed that no matter where the toolkit came from, the main worry is that advanced cyber-espionage tools are now in the hands of bad actors.
Apple Has Issued Security Fixes
Apple has released security updates to fix the vulnerabilities used by the Coruna exploit chain. People using the latest iOS versions are thought to be safe from these attacks.
However, older devices that have not been updated or patched may still be at risk from similar attacks.
Security researchers are still watching the situation to see how far the tools have spread and if more hacking campaigns are happening.
For cybersecurity professionals, Coruna’s use in crime is a reminder that digital weapons rarely stay in their original hands. As more advanced cyber tools are developed, experts warn it will get harder to keep them from leaking into the wider hacking world.
