Powerful iPhone hacking tools once used by governments are now being used by cybercriminals, and that shift is raising new concerns about mobile security.

For years, advanced surveillance exploits were mostly limited to intelligence agencies and specialized contractors. These tools required deep technical expertise and were rarely seen outside state-level cyber operations.

That boundary is beginning to blur.

Security researchers recently discovered that a sophisticated toolkit designed to break into Apple devices is now circulating beyond government use. What started as a targeted surveillance capability is slowly becoming accessible to criminal groups.

The discovery shows how quickly cyber weapons can move from intelligence programs into the broader cybercrime ecosystem. 

TL;DR

• Powerful iPhone hacking tools originally developed for government surveillance are now being used by cybercriminals.
• Researchers discovered a toolkit called Coruna containing more than 20 vulnerabilities and multiple exploit chains.
• The toolkit targets weaknesses in Apple’s iOS operating system.
• These kinds of tools can spread once they leak or enter underground markets.
• Keeping devices updated remains the most effective protection.

The Toolkit That Triggered the Alarm

Researchers identified a toolkit called Coruna, which contains a large collection of exploits designed to compromise Apple’s iOS operating system.

According to security researchers from Google’s Threat Intelligence Group, the toolkit includes:

• More than 20 vulnerabilities
• Multiple exploit chains
• Techniques that bypass core iOS security protections

An exploit chain combines several vulnerabilities together so attackers can escalate privileges and take control of a device.

Once successful, attackers can potentially install spyware, steal sensitive data, or monitor communications.

What makes the toolkit particularly concerning is its complexity. The exploit chains resemble the kind of tools typically developed for intelligence operations rather than common cybercrime campaigns.

From Surveillance Tool to Criminal Weapon

Evidence suggests that the toolkit may have originally been created for government use or by contractors working with intelligence agencies.

These kinds of surveillance tools are often used for highly targeted operations. They are designed to infiltrate specific devices belonging to journalists, activists, or foreign intelligence targets.

However, once these tools leak or are resold, they can quickly spread beyond their original purpose.

Researchers observed the toolkit appearing in different campaigns over time. In some cases it was used in espionage operations, while later activity suggests it was adopted for financially motivated cybercrime.

In one campaign, attackers deployed the exploit kit on compromised websites designed to infect visitors’ devices.

This transition from government tool to criminal asset highlights a familiar pattern in cybersecurity.

Why iPhones Became a Target

Apple devices are often seen as secure because of their tightly controlled ecosystem and regular software updates.

But no operating system is immune to vulnerabilities.

Attackers who discover weaknesses in iOS can build sophisticated exploit chains that bypass built-in protections such as:

• Sandbox restrictions
• Memory protections
• Application isolation

Once these barriers are bypassed, attackers can escalate privileges and gain deeper control over the device.

Most of the vulnerabilities exploited by the toolkit targeted older versions of iOS, which means devices that have not been updated remain at greater risk.

A Pattern We’ve Seen Before

The spread of government-grade cyber tools into criminal circles is not new.

One of the most famous examples is EternalBlue, a cyber weapon originally developed by the U.S. National Security Agency.

After the exploit leaked online, it was quickly adopted by criminal groups and used in large-scale attacks including the WannaCry ransomware outbreak that disrupted hospitals, logistics companies, and government agencies worldwide.

The same cycle appears to be repeating.

Once advanced exploits escape controlled environments, they rarely stay contained.

Instead, they circulate through underground markets, hacking forums, and private broker networks.

Why This Matters for Everyday Users

Most mobile attacks today still rely on simple tactics such as phishing or malicious apps.

However, advanced exploit kits change the threat landscape.

When attackers possess reliable zero-day or near-zero-day vulnerabilities, they can sometimes compromise devices with very little user interaction.

Some exploit chains can be triggered simply by:

• Visiting a malicious website
• Opening a compromised link
• Viewing infected web content

These attacks are often difficult for users to detect.

That is why software updates remain one of the most effective defenses.

How iPhone Users Can Reduce Risk

Although the discovery sounds alarming, there are practical steps users can take to protect themselves.

1. Update iOS regularly

Apple frequently releases security patches that close known vulnerabilities.

2. Avoid suspicious links

Many attacks still begin with malicious websites or phishing messages.

3. Enable Lockdown Mode if needed

Apple introduced Lockdown Mode for users who may face targeted attacks, such as journalists or public figures.

4. Keep apps updated

Outdated apps may contain vulnerabilities that attackers can exploit.

5. Monitor unusual device behavior

Unexpected battery drain, overheating, or unfamiliar network activity may indicate compromise.

The Larger Cybersecurity Lesson

The appearance of government-grade iPhone exploits in criminal campaigns reflects a deeper trend in cybersecurity.

Advanced tools rarely remain exclusive forever.

Once developed, they can leak, be stolen, or be repurposed. When that happens, the gap between nation-state cyber operations and ordinary cybercrime becomes much smaller.

For security professionals, the discovery reinforces an important truth.

The most sophisticated threats do not stay classified forever.

Eventually, they reach the wider internet.

FAQs

What is the Coruna hacking toolkit?

Coruna is a collection of advanced exploits designed to compromise Apple iPhones by chaining together multiple iOS vulnerabilities.

Are iPhones still secure?

Yes. Apple devices remain secure when kept updated. Most of the vulnerabilities exploited by the toolkit affect older versions of iOS.

How do attackers use these exploits?

Attackers can deliver them through malicious websites, phishing links, or compromised online content.

What should users do to stay safe?

Users should install iOS updates regularly, avoid suspicious links, and enable security features such as Lockdown Mode.

Why do government cyber tools end up in criminal hands?

Cyber tools can leak, be stolen, or be resold through underground markets once they leave controlled environments.