iPhone cryptocurrency wallets at risk as Google discovers new iOS exploit kit

Google has discovered a hacking toolkit called Corona that silently hacks iPhones and steals target passwords for popular wallet apps like MetaMask, Phantom, and Trust Wallet.

The attack only requires visiting a phishing or hacking website on an outdated iPhone for the infection to begin without requiring any action from the victim.

Why is it important:

• iPhones with iOS 17.2.1 or earlier remain vulnerable, as Apple only released a final patch for the exploit in iOS 17.3 released in January 2024.
• The toolkit scans notes and messages for passphrases and keywords such as “passphrases”, giving attackers full access to the wallet without the need for a password.
• It targets 18 cryptocurrency apps, meaning users of MetaMask, Phantom, Exodus, Trust Wallet and Uniswap are at risk of direct theft.

the details:

• GTIG said it retrieved the full toolkit from hundreds of fake financial websites and cryptocurrency exchanges, including a fake cryptocurrency exchange WEEX.
• A suspected Russian spy group used the same toolkit in the summer of 2025 to target iPhone users in Ukraine via compromised local business websites.
• A Chinese for-profit team spread the group largely through fraudulent websites, allowing Google to recapture the entire group and call it Corona.
• Activate the Lockdown mode in your iPhone settings to completely disable the attack – the group detects this mode and stops working.

The full picture:

• The same set of tools moved through a surveillance company, a group backed by the Russian state and Chinese financial criminals, indicating a growing secondary market for powerful hacking tools.
• Two of the Corona vulnerabilities were previously used in Operation Triangulation, an iOS 2023 espionage campaign discovered by Kaspersky, which shows how sophisticated vulnerabilities are reused among different threat actors.