Google noted that Apple has patched the vulnerabilities used by Coruna in the latest version of its mobile operating system, iOS 26so its exploit methods are only confirmed to work against iOS 13 up to 17.2.1. It targets vulnerabilities in Apple’s Webkit framework for browsers, so Safari users on older versions of iOS may be vulnerable, but there are no confirmed techniques in the toolkit for targeting Chrome users. Google also noted that Coruna checks whether iOS devices have Apple’s strictest security settings, known as Lockdown Modeenabled, and won’t try to hack it if it is.

Despite the limitations, iVerify says Coruna may have infected thousands of phones. The company consulted a partner who had access to network traffic and counted visits to a command-and-control server for the cybercriminal version of Coruna that infects Chinese-language websites. The number of connections suggests, iVerify says, that roughly 42,000 devices may have been hacked using the for-profit campaign’s toolkit alone.

How many other victims Coruna has hit, including Ukrainians who visited websites infected with the code of a suspected Russian spy operation, remains unclear. Google declined to comment beyond its published report. Apple did not immediately comment on Google or the iVerify findings.

In iVerify’s analysis of the cybercriminal version of Coruna—it did not have access to any previous versions—the company found that the code appears to have been modified to plant malware on target devices designed to drain cryptocurrency from crypto wallets as well as steal photos and, in some cases, emails. Those additions, however, are “poorly written” compared to Coruna’s underlying toolkit, according to iVerify chief product officer Spencer Parker, who he finds more polished and modular.

“My God, these things are professionally written,” Parker said of the exploits included in Coruna, suggesting that the more sinister malware was added by cybercriminals who later obtained that code.

Regarding clues that suggest Coruna’s origins as a US government toolkit, iVerify’s Cole says it’s possible that Coruna’s code overlaps with the Operation Triangulation code pinned on Russia by US hackers could be based on Triangulation components that were removed and repurposed after they were discovered. But Cole argues that’s not possible. Many of Coruna’s components have never been seen before, he points out, and the entire toolkit seems to have been created by a “single author,” as he puts it.

“The framework is coming together very well,” said Cole, who used to work for the NSA, but says he’s been out of government for more than a decade and didn’t base any of his findings on his own prior knowledge of US hacking tools. “It looks like it was written in its entirety. It doesn’t look like it was put together.”

If Coruna is, in fact, a US hacking toolkit gone rogue, how it got into foreign and criminal hands remains a mystery. But Cole points to industry brokers who can pay tens of millions of dollars for zero-day hacking techniques that they can resell for espionage, cybercrime, or cyberwar. Notably, Peter Williams, an executive at US government contractor Trenchant, was sentenced this month to seven years in prison. selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memo says Trenchant sold hacking tools to the US intelligence community as well as others in the “Five Eyes” group of English-speaking governments—the US, UK, Australia, Canada and New Zealand—although it’s unclear what specific tools he sold or what tools they targeted.

“These zero-day and leveraged brokers tend to be unreliable,” Cole said. “They sell to the highest bidder and they double dip. There are a lot of non-exclusive arrangements. That’s what happened here.”

“One of these tools ended up in the hands of a non-Western exploit broker, and they sold it to anyone willing to pay,” Cole concluded. “The genie is out of the bottle.”