Google TAG: ‘Coruna’ iPhone exploit kit steals BIP39 seed phrases from mobile wallets

Published: 2026-03-05 13:39:48 |

Google’s Threat Analysis Group (TAG) and Threat Intelligence Group (GTIG) have identified “Coruna,” a sophisticated iOS exploit kit now used to steal BIP39 seed phrases and other wallet data from iPhones. Coruna bundles 23 vulnerabilities across iOS 13.0–17.2.1, including zero-days, and was first seen in February 2025. The framework fingerprints visitor devices on compromised gambling and fake exchange sites (watering‑hole attacks) and delivers tailored JavaScript exploit chains (WebKit RCE) that bypass mitigations to gain system-level access. Once deployed, the kit scans for wallet apps and artifacts (MetaMask, BitKeep, Uniswap/DEX-related apps, cached QR codes, notes, screenshots) and exfiltrates 12–24 word seed phrases to encrypted command-and-control servers. Google traces the current financially motivated wave to UNC6691, which appears to have acquired the kit after earlier suspected nation-state use (UNC6353). Apple patched the exploited flaws in iOS 17.3 and later; TAG urges immediate updates or enabling Lockdown Mode for devices that can’t upgrade. For traders, the attack raises acute risk to mobile hot wallets and retail users: recommended mitigations include updating to iOS 17.3+, enabling Lockdown Mode if unable to update, removing seed phrases from notes/screenshots, and moving significant funds to hardware wallets requiring physical confirmation. The report highlights a trend: high-end zero-days once used for espionage are being commodified for large-scale crypto theft, increasing phishing/device-compromise risk and the potential for short-term selling pressure if exploitation becomes widespread.

Bearish

Coruna increases direct risk to crypto holders who use mobile hot wallets by enabling seed-phrase theft through drive-by watering‑hole attacks. In the short term this raises the likelihood of intraday or rapid selling by affected retail users who lose access to funds or seek to move assets to safer storage, creating localized downward pressure on liquid tokens commonly held in mobile wallets (ERC‑20 tokens, major altcoins). The immediate market impact is likely concentrated and transient: exploited users will sell or attempt to withdraw funds, but large institutional holders are less affected. Over the medium to long term, widespread exploitation could erode retail confidence in mobile custody solutions, raising demand for hardware wallets and custodial services and possibly reducing speculative flows into smaller-cap tokens. However, patches in iOS 17.3+ and clear mitigation steps (updates, Lockdown Mode, hardware wallets) reduce the risk of persistent market decline. Overall, the news is bearish for short-term price action among assets most held in vulnerable mobile wallets, while longer-term effects depend on adoption of stronger custody practices.