Imagine a world where a tool designed to protect national security ends up in the hands of cybercriminals and foreign spies, wreaking havoc on innocent lives. That’s exactly what’s happening right now with a powerful iPhone-hacking toolkit, and the story behind it is as shocking as it is complex. But here’s where it gets even more unsettling: this toolkit, now dubbed “Coruna,” may have originated from a U.S. government contractor, only to spiral out of control and land in the arsenals of Russian spies, cybercriminals, and who knows who else.
Earlier this week, Google’s security researchers dropped a bombshell report detailing Coruna—a highly sophisticated hacking toolkit capable of silently infecting iPhones with malware just by visiting a compromised website. This isn’t your average phishing scam; Coruna exploits a staggering 23 vulnerabilities in iOS, a feat so advanced it screams of state-sponsored development. And this is the part most people miss: its journey from a potential U.S. government tool to a weapon used by adversaries is a chilling reminder of the double-edged sword that is cybersecurity.
But how did we get here? Google’s investigation traces Coruna’s origins back to early 2023, when components of the toolkit were spotted in attacks attributed to a “customer of a surveillance company.” Fast forward five months, and a more complete version of Coruna emerged in an espionage campaign targeting Ukrainians, allegedly carried out by Russian spies. If that wasn’t alarming enough, the toolkit then resurfaced in a profit-driven scheme, infecting Chinese-language crypto and gambling sites to steal cryptocurrency from unsuspecting victims.
Here’s the kicker: while Google’s report avoids naming the original surveillance company, mobile security firm iVerify suggests the toolkit’s roots may lie in a U.S. government project. Rocky Cole, iVerify’s cofounder, points out that the code is written in English, bears hallmarks of U.S. government tools, and shares similarities with the “Triangulation” operation—a hacking campaign Russia blamed on the NSA. Is this a case of U.S. tools gone rogue, or something more sinister?
And this is the part that should keep you up at night: Coruna’s proliferation mirrors the infamous “EternalBlue” debacle, where a leaked NSA tool fueled global cyberattacks like WannaCry and NotPetya. If Coruna started as a U.S. government asset, its leak raises grave questions about the security of mobile devices in an era where even the most advanced tools can fall into the wrong hands.
Apple has since patched the vulnerabilities exploited by Coruna in iOS 26, but older versions remain at risk. Despite this, iVerify estimates that tens of thousands of devices have already been compromised, with one cybercriminal campaign alone potentially infecting 42,000 phones. The full scale of the damage, including victims of the Russian espionage campaign, remains unknown.
Here’s the controversial question: If Coruna was indeed a U.S. government tool, does its leak highlight a systemic failure in how such powerful technologies are managed? Or is this an inevitable consequence of the shadowy zero-day exploit market, where brokers sell vulnerabilities to the highest bidder, regardless of their intentions? The recent sentencing of a U.S. contractor for selling hacking tools to Russian brokers suggests the latter, but the debate is far from over.
As Cole puts it, ‘The genie is out of the bottle.’ But what does this mean for the future of cybersecurity? Are we doomed to repeat history, or can we learn from this cautionary tale? Let’s discuss—what do you think? Is the U.S. government partly to blame, or is this an unavoidable risk in the digital age? Share your thoughts in the comments below.
