Author: Max, Crypto City
Evolving from a national surveillance tool to an “asset harvesting machine”
According to an in-depth report released by Google Threat Intelligence Group (GTIG), the iOS vulnerability suite codenamed Coruna (also known as CryptoWaters) poses a serious threat to users worldwide. The development of this tool has a highly dramatic trajectory. When first discovered in February 2025, it was provided by private surveillance vendors to government clients for targeted monitoring of politicians and dissenters. Later, in summer 2025, a hacker group linked to the Russian government, UNC6353, took control of the suite and used it for geopolitical espionage against Ukrainian citizens.
Image source: Google | Coruna Timeline
As the technology proliferated, this professionally developed tool, costing millions of dollars, has officially entered the cybercrime market. By late 2025 to early 2026, a Chinese hacker group, UNC6691, acquired the technology and shifted their attack focus to digital asset theft. This marks the commodification of high-level espionage tools, transforming from targeted intelligence gathering to large-scale theft of cryptocurrency holdings. Researchers note that hackers are willing to invest significant technical resources, indicating that the enormous profits behind crypto assets drive professional techniques into financial crime.
23 Vulnerabilities Chain Reaction: Silent Penetration Behind the “Watering Hole”
Coruna features a high degree of automation and stealth, integrating 23 independent vulnerabilities that form five complete attack chains. Its scope is extensive, affecting all iPhones and iPads running iOS 13.0 through iOS 17.2.1. The hackers employ a covert “watering hole attack,” infiltrating or setting up fake cryptocurrency exchanges and financial websites to lure victims. These sites, such as the counterfeit WEEX exchange, look and function almost identically to the real ones, even using SEO and paid ads to increase visibility.
Image source: Google | Fake WEEX Exchange
When iPhone users visit these compromised sites, background scripts immediately execute device recognition. The system silently checks the iOS version, and if the device falls within the targeted range, it automatically triggers zero-click (Zero-click) exploits, fully automated without any user interaction or clicking links. Some fake sites even proactively prompt users to browse with iOS devices, claiming better experience, but in reality, they are precisely targeting vulnerable devices that haven’t been updated.
Even screenshots in photo albums are not safe
Once Coruna successfully gains device access, its malicious component PlasmaLoader activates, conducting a scan of the user’s digital assets. This program has powerful scanning capabilities, actively searching for keywords like “backup phrase,” “bank account,” or “seed phrase,” and extracting key data from SMS and notes. It also features image recognition, automatically scanning screenshots in the user’s photo albums for QR codes containing wallet seed phrases or private keys.
In addition to static data collection, Coruna targets mainstream crypto wallet apps like MetaMask and Uniswap. Hackers attempt to extract sensitive information from these apps to gain full control of wallets. In multiple known cases, victims’ funds were transferred shortly after visiting fake websites. Because the attack targets system-level permissions, any digital traces of private keys left on the device are difficult to escape from this espionage-grade tool.
Image source: Google | Google lists all apps potentially vulnerable to malicious attacks
Defense Rules and Survival Tips? System Updates Are Key to Security
In the face of sophisticated high-level threats, iPhone users should adopt clear protective measures. Google’s report states that Coruna is completely ineffective against iOS 17.3 or higher. Although newer system versions are available, some users still run outdated devices or lack space to update, exposing themselves to risk. For older models that cannot upgrade to secure versions, enabling Apple’s “Lockdown Mode” is an effective countermeasure. Once malicious software detects this mode, it will cease operation to avoid detection.
Cybersecurity experts recommend that crypto holders follow basic survival rules. The primary protection is to use hardware wallets (such as Ledger or Trezor), keeping private keys offline and disconnected from iOS environments. Additionally, all screenshots containing seed phrases or private keys should be immediately deleted from photo albums, and offline physical backups should be used instead.
Although Coruna avoids detection by steering clear of incognito browsing modes, this is only a temporary measure. As the value of digital assets continues to rise, maintaining software updates and cybersecurity vigilance has become a fundamental responsibility for every investor.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Polymarket reviews and weeds out early-stage projects in its ecosystem, targeting insider trading and market manipulation behaviors
Polymarket announced an audit of some of the onboarded startup projects that have been accused of using allegedly insider trading account information to steer users into making trades. The move is intended to strengthen compliance management and address external concerns about the risks of insider trading.
GateNews2h ago
In Q1 2026, Web3 projects suffered losses of over $460 million from hacks and scams, with phishing attacks leading the way.
Hacken’s report shows that in the first quarter of 2026, Web3 projects lost $464.5 million due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million in losses. In addition, hardware wallet scams accounted for the bulk of the losses. Moreover, losses were also significant due to smart contract vulnerabilities and access control failures. In terms of regulation, the European legal framework has increased security monitoring requirements.
GateNews5h ago
RAVE’s hype surge triggers a flood of copycat coin mania, as FF and INX expose the “pump-and-dump” scheme
Recently, altcoins represented by RAVE have sparked a fierce investment craze, but some old star projects like FF and INX have used this wave of hype to carry out “pump-and-dump” operations—rapidly driving up coin prices to lure retail investors to buy, and then dumping them heavily, causing the price to plunge rapidly. Such behavior not only exposes the project team’s funding difficulties, but also damages investors’ trust. Investors need to stay alert to signals like abnormal short-term surges in order to avoid the risk of being manipulated by the market.
MarketWhisper9h ago
FBI teams up with Indonesia to dismantle W3LL phishing network, with more than $20 million involved
The U.S. FBI and Indonesian police successfully cooperated to dismantle a W3LL phishing network, seizing related equipment and detaining suspects. The W3LL phishing toolkit offers low-priced fake login pages that use man-in-the-middle attacks to easily bypass multi-factor authentication, forming an organized cybercrime ecosystem. This operation marks cooperation between the U.S. and Indonesia in law enforcement against cybercrime; however, the security threats to cryptocurrency users remain severe.
MarketWhisper13h ago
Squads Emergency Alert: Address poisoning and forged multisig accounts; a whitelist mechanism will go live
Solana ecosystem multi-signature agreement Squads issued a warning, pointing out that attackers launched an address poisoning attack against users by using fake accounts to trick users into making unauthorized transfers. Squads confirmed that there was no loss of funds and emphasized that this is a social engineering attack rather than a protocol vulnerability. To respond, Squads has implemented protective measures such as a warning system, non-interactive account prompts, and a whitelist mechanism. This incident reflects the growing social engineering threats in the Solana ecosystem and has prompted ongoing security reviews.
MarketWhisper13h ago
South Korean “retaliation intermediary” agencies charged USDT to carry out violent crimes, and continued operating even after the main suspect was arrested
South Korea has recently seen multiple “revenge intermediary” organizations that use cryptocurrency as a payment method. They offer intimidation and murder services via Telegram. Even though the main culprit has been arrested, related advertisements are still being posted. Police are investigating more than 50 cases and have arrested about 30 people.
GateNews15h ago
