Crypto: Google Uncovers Ios Exploit Kit Used In Crypto Phishing Attacks

Researchers say fake crypto websites deployed an iOS exploit kit capable of stealing wallet seed phrases and other financial data.

Threat researchers at Google say they have uncovered a new exploit kit targeting Apple iPhone users, aimed at stealing crypto wallet seed phrases.

The kit, named “Coruna” by its developers, targets iPhones running iOS versions 13.0 up to 17.2.1. It has “five full iOS exploit chains and a total of 23 exploits,” including ones that were previously unknown to the public, the Google Threat Intelligence Group (GTIG) said in a report on Wednesday.

The group said it first discovered the kit in February 2025 and has since tracked its use by a suspected Russian espionage group against Ukrainians, and later on fake Chinese crypto websites that aim to steal crypto.

GTIG said the kit doesn’t work with the latest version of iOS and urged iPhone users to update their devices to the latest software version. If that isn’t possible, users should put the phone in “Lockdown Mode,” which Apple says can counter sophisticated attacks.

GTIG said it came across parts of an iOS exploit in February 2025 in which a customer of a surveillance company used JavaScript to fingerprint the device to deliver the appropriate exploit.

Later that year, it found the same JavaScript framework hidden on multiple compromised Ukrainian websites that was “only delivered to selected iPhone users from a specific geolocation.”

GTIG said it then found the same framework in December “on a very large set of fake Chinese websites mostly related to finance,” including one that spoofed the crypto exchange WEEX.

When a user accesses the websites with an iOS device, the framework delivers the exploit kit and hunts for financial information, including analyzing texts containing seed phrases and keywords such as “backup phrase” or “bank account.”

Related: ‘ClickFix’ hackers pose as VCs, hijack QuickLens in latest crypto attacks

Source: CoinTelegraph