State Spyware Leaks to Criminal Networks, Infecting 42,000 iPhones
A sophisticated iPhone hacking toolkit—likely built for US intelligence—has escaped into the wild, deployed by Russian spies and Chinese cybercriminals in what researchers call a catastrophic proliferation of nation-state surveillance technology.
Google revealed Tuesday that a government-grade iPhone exploit kit dubbed Coruna has migrated from surveillance contractors to Russian espionage groups and financially motivated hackers, with evidence pointing to possible US government origins. The toolkit was first observed in February 2025 during a surveillance vendor’s operation, reappeared in July targeting Ukrainian users via Russian espionage campaigns, then surfaced in December on Chinese gambling and cryptocurrency sites designed to steal digital assets, according to researchers at TechCrunch.
The toolkit is now confirmed in use by at least three foreign Intelligence services and two organized crime groups, with 42,000 iPhones already compromised, according to mobile security firm iVerify. Victims include journalists, human rights activists, opposition politicians, and corporate executives—precisely the targets that adversarial governments and criminals prioritize, but with capabilities that were supposed to be restricted to US law enforcement operating under judicial oversight.
From Classified Tool to Criminal Commodity
The Coruna exploit kit contains five full iOS exploit chains and a total of 23 exploits, including vulnerabilities that enable remote code execution and sandbox escapes via ordinary web content, exploiting flaws in WebKit’s memory handling and other browser subsystems, according to Help Net Security. The exploit kit appears capable of targeting iPhone models running iOS 13.0, released in September 2019, through iOS 17.2.1, released in December 2023.
Forensic analysis by iVerify and Google suggests American origins. Coruna contains multiple components previously used in a hacking operation known as Triangulation that was discovered targeting Russian Cybersecurity firm Kaspersky in 2023, which the Russian government claimed was the work of the NSA, and Coruna’s code also appears to have been originally written by English-speaking coders, according to security researchers quoted in DNYUZ. iVerify, a mobile security company that obtained and reverse-engineered the hacking tools, said in a blog post that it linked the Coruna exploit kit to the U.S.
The leak mechanism remains unclear, but the timing is telling. Peter Williams, an executive of US government contractor Trenchant, was sentenced this month to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025, and Williams’ sentencing memo notes that Trenchant sold hacking tools to the US intelligence community as well as others in the Five Eyes group of English-speaking governments—the US, UK, Australia, Canada and New Zealand, though it remains unclear whether Williams handled Coruna specifically.
The Exploit Broker Economy
Google security researchers warned of an emerging market for second hand exploits, which are sold to hackers motivated by money to extract more value out of the exploit, describing a grey market where tools originally commissioned by governments are recycled through brokers. Security analysts note that zero-day and exploit brokers tend to be unscrupulous, selling to the highest bidder and double dipping, as many don’t have exclusivity arrangements, according to iVerify’s Rocky Cole, a former NSA employee quoted in DNYUZ.
The Coruna case echoes the 2017 leak of EternalBlue, the NSA’s Windows exploit that enabled WannaCry and NotPetya ransomware attacks. Security researchers describe this as the EternalBlue moment for mobile malware, referencing the Windows-hacking tool stolen from the National Security Agency and leaked in 2017, leading to its use in catastrophic cyberattacks including North Korea’s WannaCry worm and Russia’s NotPetya attack.
Commercial Spyware has become a $12 billion global industry, with at least 74 governments purchasing surveillance technology from private companies between 2011 and 2023, according to research compiled by civil society organizations. The Wassenaar Arrangement, established to control dual-use technology exports, added spyware items to its control list in 2013, but enforcement remains fragmented across national jurisdictions. The EU’s recast Dual-Use Regulation introduced catch-all controls for cyber-surveillance tools in 2021, though implementation has been limited.
Attribution Challenges and Policy Implications
The Coruna proliferation exposes fundamental weaknesses in the vulnerability equities process—the supposedly rigorous system for deciding whether to disclose security flaws to vendors or weaponize them for intelligence collection. Congressional oversight committees are reportedly demanding briefings on how US-origin surveillance tools ended up in adversarial hands, raising questions about the government’s vulnerability equities process.
For Apple, the incident underscores the challenge of defending against adversaries who possess state-level resources. Apple patched vulnerabilities used by Coruna in the latest versions of its mobile operating system, iOS 26, so its exploitation techniques are only confirmed to work against iOS 13 through 17.2.1, according to StartupNews. It targets vulnerabilities in Apple’s Webkit framework for browsers, so Safari users on those older versions of iOS would be vulnerable, though Chrome users appear unaffected.
Apple received initial threat intelligence about Coruna on March 1st and has been working around the clock on patches, but the company faces a broader strategic dilemma. In September 2025, Apple dropped its lawsuit against NSO Group—maker of the Pegasus spyware—due to fears that the trial would expose sensitive threat intelligence methods. The company has since expanded Lockdown Mode, a high-security feature that Coruna checks if an iOS devices has enabled, and doesn’t attempt to hack it if so.
- State-developed exploits leak into criminal markets through brokers who sell to multiple buyers without exclusivity
- Attribution becomes impossible when the same toolkit appears in surveillance operations, espionage campaigns, and financial cybercrime
- Export Controls under the Wassenaar Arrangement and EU Dual-Use Regulation have failed to prevent proliferation
- Apple’s defensive measures—rapid patching, Lockdown Mode—mitigate but cannot eliminate risk for users on older iOS versions
- The vulnerability equities process faces scrutiny as tools intended for lawful interception enable adversary intelligence and organized crime
What to Watch
Congressional hearings on the Coruna leak will test whether the vulnerability equities process requires statutory reform or merely tighter operational security. The EU is conducting its first evaluation of the 2021 Dual-Use Regulation; expect pressure for harmonized licensing, systematic end-use monitoring, and public reporting on spyware export denials.
For enterprise security teams, the Coruna timeline—nine months from government use to criminal deployment—establishes a benchmark for how quickly state-level exploits proliferate. Organizations with high-value personnel should mandate iOS 26 upgrades and enable Lockdown Mode for executives, legal staff, and anyone handling sensitive competitive intelligence.
The broader question is whether democracies can maintain offensive cyber capabilities without arming their adversaries. If the answer is no, the case for disclosure over exploitation strengthens considerably. If US-origin tools continue appearing in adversary arsenals, allies in the Five Eyes partnership may reconsider intelligence-sharing arrangements that assume operational security Washington can no longer guarantee.