U.S. Government iPhone Hacking Tools Have Leaked to Cybercriminals and Foreign Spies

iPhone hacking cybersecurity exploit government surveillance tools

Government Hacking Tools End Up in Criminal Hands

A powerful suite of iPhone hacking tools originally developed for government surveillance has leaked into the hands of cybercriminals and foreign espionage groups. Google's security team discovered the exploit kit, dubbed Coruna, after tracking it from a government surveillance vendor to Russian spies and then to financially motivated hackers in China.

The Coruna kit can compromise iPhones running iOS 13 through iOS 17.2.1 by chaining together 23 separate vulnerabilities. It works through a "watering hole" attack — victims simply need to visit a malicious website containing the exploit code. No interaction required. No warning given.

From Government Tool to Criminal Weapon

Google first identified Coruna in February 2025 during a surveillance vendor's attempt to hack a target's phone on behalf of a government customer. Months later, the same exploit kit appeared in a broad campaign by a Russian espionage group targeting Ukrainian users. It then surfaced again in the hands of a financially motivated hacker in China.

Mobile security firm iVerify reverse-engineered the tools and linked them to the U.S. government, based on similarities to hacking tools previously attributed to the United States. The company warned: "The more widespread the use, the more certain a leak will occur."

How Coruna Hacks an iPhone

The exploit kit is remarkably sophisticated. It can bypass an iPhone's defenses through five separate attack paths, relying on 23 chained vulnerabilities. Affected devices include every iPhone model running iOS 13 up to iOS 17.2.1, which was released in December 2023. Users running iOS 17.3 or later are not affected.

According to Wired, Coruna contains components previously used in Operation Triangulation, a hacking campaign that Russian cybersecurity firm Kaspersky claimed in 2023 was conducted by the U.S. government against its employees' iPhones.

This Has Happened Before

Government hacking tools leaking to criminals is not new. In 2017, the NSA discovered that its EternalBlue Windows exploit had been stolen. The tool was later used in the WannaCry ransomware attack by North Korea, which crippled hospitals, businesses, and government agencies worldwide.

More recently, Peter Williams, the former head of U.S. defense contractor L3Harris Trenchant, was sentenced to over seven years in prison for stealing and selling eight exploits to a broker known to work with the Russian government. Those exploits were capable of hacking into "millions of computers and devices" worldwide.

The Bottom Line

Every time a government builds a back door or stockpiles exploits, it creates a ticking time bomb. The Coruna leak is the latest proof that offensive hacking tools do not stay in responsible hands. They leak, they spread, and they end up being used against the very citizens the government claims to protect. If your iPhone is running anything older than iOS 17.3, update it now. And the next time a government official argues for encryption back doors or mandatory device access, remember Coruna: the tool built to hack bad guys that ended up hacking everyone else.