iPhone Crypto Exploit activity has raised alarm among cybersecurity experts after Google researchers discovered a toolkit designed to steal cryptocurrency wallet data from Apple devices. The exploit targets iPhones running older versions of Apple’s iOS operating system and focuses on extracting sensitive financial information.
According to security analysts, the attack attempts to locate wallet seed phrases, which allow criminals to restore access to crypto accounts and move funds without the owner’s permission.
iPhone Crypto Exploit discovered by Google researchers
The iPhone Crypto Exploit toolkit was identified by the Google Threat Intelligence Group during an investigation into suspicious online activity. The toolkit, known as Coruna, contains multiple exploit chains that target vulnerabilities in iOS versions ranging from 13.0 to 17.2.1.
Researchers found that the system includes more than twenty exploits. Some of the vulnerabilities had not been previously reported to the cybersecurity community.
The exploit toolkit was first detected in early 2025. Attackers used specially crafted JavaScript code that scanned a visitor’s device information before delivering the appropriate exploit.
Once the system identified the model and operating system version of the device, it launched the attack designed for that specific environment.
Fake websites used to deliver the iPhone Crypto Exploit
Investigators discovered that the iPhone Crypto Exploit was often distributed through compromised websites.
In several cases, the malicious code appeared only when visitors accessed the pages using an iPhone from specific geographic locations. Early incidents were detected on Ukrainian websites before similar attacks appeared on fraudulent Chinese financial service platforms.
One fake website reportedly copied the interface of the cryptocurrency exchange WEEX in order to lure victims into interacting with the malicious system.
Once a user loaded the infected page, the exploit attempted to search the device for financial information.
Researchers said the malware specifically scanned text data containing phrases such as backup phrase, seed phrase, or bank account details.
The system also looked for installed cryptocurrency applications, including popular wallets like MetaMask and decentralized finance tools such as Uniswap.
Cybersecurity experts debate the origin of the exploit
The origins of the iPhone Crypto Exploit have sparked debate within the cybersecurity community.
Google researchers did not publicly identify who developed the Coruna toolkit. However, some security experts believe the software may share characteristics with tools previously used by government-linked cyber operations.
One cybersecurity analyst suggested the complexity of the code indicates that the toolkit required significant financial resources to develop.
Other experts disagree with this interpretation. Some security firms say they have not found clear evidence linking the exploit to government agencies.
As a result, the origin of the toolkit remains uncertain.
Crypto investors remain prime targets for attackers
The iPhone Crypto Exploit highlights the growing threat faced by cryptocurrency users worldwide.
Cybercriminals frequently target seed phrases because they provide complete access to digital wallets. Once attackers obtain this information, they can transfer funds instantly, and transactions on most blockchains cannot be reversed.
According to blockchain security firm CertiK, phishing attacks and private key theft caused losses of more than $700 million during 2025.
These attacks often combine several methods at once. Criminals may exploit software vulnerabilities, create fake websites, and search devices for sensitive data.
How users can protect against the iPhone Crypto Exploit
Security experts advise iPhone users to update their devices to the latest version of iOS as soon as possible.
Google researchers confirmed that the Coruna exploit toolkit does not work on the newest versions of Apple’s operating system.
Users can also enable Lockdown Mode, a security feature designed to protect devices from highly sophisticated cyberattacks.
Additional precautions include avoiding suspicious websites, protecting wallet seed phrases, and storing backup keys offline.
As cryptocurrency adoption grows, experts warn that mobile devices will remain a major target for cybercriminals seeking access to digital assets.
