NewsBTC

Mar 5, 2026

1 0

BEARISH 📉 : Google warns Coruna iOS exploits steal crypto wallet data from iPhones

Google warns a new iOS exploit kit, “Coruna,” is stealing seed phrases and wallet data from iPhone users who visit fake finance and crypto sites. The kit targets iOS 13.0–17.2.1 and chains multiple exploits to compromise devices on page load. Source.

GTIG recovered Coruna with five full exploit chains and 23 exploits. Researchers tracked its 2025 evolution from a commercial-surveillance customer, to watering-hole attacks on compromised Ukrainian sites, and then to broad Chinese-language scam campaigns linked to actor UNC6691. Details.

Delivery came via fake finance pages, including a spoofed WEEX exchange site, that nudged visitors onto iOS and then injected a hidden iFrame. Fingerprinting picked the iPhone model and iOS version, then loaded a WebKit RCE plus a PAC bypass to start the chain. One recovered RCE mapped to CVE-2024-23222, which Apple fixed in iOS 17.3 on Jan 22, 2024. Report.

At the end, Coruna drops a stager GTIG calls PlasmaLoader or PLASMAGRID. Focus: financial theft, not classic monitoring. It can decode QR codes from stored images, scan text for BIP39 word sequences and keywords like “backup phrase” and “bank account,” including in Apple Memos, and exfiltrate matches. Payload analysis.

The payload is modular. GTIG observed modules hooking functions and siphoning sensitive data from popular mobile wallets: MetaMask, Trust Wallet, Uniswap Wallet, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper. First mention: TON. Targets.

Mitigations from Google: Coruna is not effective against the latest iOS. Users should update; if unable, enable Apple’s Lockdown Mode. Google also added the identified domains to Safe Browsing to reduce exposure. Guidance.

Why it matters for crypto investors: mobile wallets mix high-value assets with frequent web traffic. GTIG’s data shows a “visit-to-compromise” funnel tuned to device model and iOS version, where a single page view from a vulnerable iPhone could lead to seed phrase theft. Risk profile.

Headline
Google: Coruna iOS kit steals wallet seed phrases on iPhones, hitting iOS 13–17.2.1; latest iOS blocks it