Leaked Government Hacking Tools Now Fuel Criminal Activity
A sophisticated suite of hacking tools, potentially originating from a U.S. Government framework, has infiltrated the cybercrime world, enabling widespread attacks on iPhones. Researchers have identified the exploit kit, dubbed “Coruna,” being used by Russian espionage groups and financially motivated hackers, highlighting the growing risk of state-developed exploits falling into the wrong hands.
From Government Surveillance to Criminal Exploitation
Google’s Threat Intelligence Group first identified Coruna in February 2025 during a surveillance vendor’s attempt to install spyware on a device for a government client Google Cloud Blog. Months later, the same toolkit surfaced in a broad-scale campaign targeting Ukrainian users attributed to a Russian espionage group. Subsequently, it was detected in use by a financially motivated hacker operating in China, indicating a shift from targeted espionage to opportunistic criminal activity CyberScoop.
This progression suggests the toolkit either leaked or was sold on an emerging “secondhand” exploit market, where hackers can purchase and repurpose sophisticated tools for financial gain CyberScoop. The proliferation of these capabilities raises concerns about the potential for misuse and the difficulty of controlling their spread.
Coruna’s Technical Capabilities
Coruna is a highly sophisticated exploit kit, containing five complete iOS exploit chains and a total of 23 distinct exploits Google Cloud Blog. It can compromise iPhones simply by a user visiting a malicious website – a “watering hole” attack – without requiring any interaction from the victim. The toolkit exploits vulnerabilities in iOS versions ranging from 13.0 (released in September 2019) up to 17.2.1 (released in December 2023) Google Cloud Blog.
Potential U.S. Government Link
Mobile security firm iVerify obtained and reverse-engineered Coruna, finding code similarities to tools previously attributed to the United States WIRED. While iVerify stops short of definitive attribution, the findings suggest a possible origin within a U.S. Government framework. The firm warns that wider use increases the risk of leaks and loss of control over the toolkit’s deployment FindArticles.
The discovery echoes past incidents, such as the 2017 leak of the “EternalBlue” exploit developed by the U.S. National Security Agency, which was subsequently used in the WannaCry ransomware attack CyberScoop. The recent sentencing of Peter Williams, a former L3Harris executive, for selling zero-day exploits to a Russian broker underscores the risks associated with the private sale of powerful hacking tools CyberScoop.
Operation Triangulation Connection
Coruna’s components have likewise been linked to “Operation Triangulation,” a hacking campaign previously attributed to the U.S. Government by Russian cybersecurity firm Kaspersky in 2023 WIRED. The NSA declined to comment on Kaspersky’s allegations.
Implications and Future Concerns
The Coruna case highlights a recurring pattern: state-developed hacking capabilities can leak and be repurposed for criminal activities. This poses a significant threat to individuals and organizations, as sophisticated exploits become more readily available to malicious actors. The emergence of a market for “secondhand” exploits necessitates a reevaluation of government policies regarding the development, stockpiling, and potential disclosure of zero-day vulnerabilities.