Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google has discovered a hacking toolkit called Corona that silently hacks iPhones and steals target passwords for popular wallet apps like MetaMask, Phantom, and Trust Wallet.
The attack only requires visiting a phishing or hacking website on an outdated iPhone for the infection to begin without requiring any action from the victim.
Why is it important:
- iPhones with iOS 17.2.1 or earlier remain vulnerable, as Apple only released a final patch for the exploit in iOS 17.3 released in January 2024.
- The toolkit scans notes and messages for passphrases and keywords such as “passphrases”, giving attackers full access to the wallet without the need for a password.
- It targets 18 cryptocurrency apps, meaning users of MetaMask, Phantom, Exodus, Trust Wallet and Uniswap are at risk of direct theft.
the details:
- GTIG said it retrieved the full toolkit from hundreds of fake financial websites and cryptocurrency exchanges, including a fake cryptocurrency exchange WEEX.
- A suspected Russian spy group used the same toolkit in the summer of 2025 to target iPhone users in Ukraine via compromised local business websites.
- A Chinese for-profit team spread the group largely through fraudulent websites, allowing Google to recapture the entire group and call it Corona.
- Activate the Lockdown mode in your iPhone settings to completely disable the attack – the group detects this mode and stops working.
The full picture:
- The same set of tools moved through a surveillance company, a group backed by the Russian state and Chinese financial criminals, indicating a growing secondary market for powerful hacking tools.
- Two of the Corona vulnerabilities were previously used in Operation Triangulation, an iOS 2023 espionage campaign discovered by Kaspersky, which shows how sophisticated vulnerabilities are reused among different threat actors.
