Google TAG: 'Coruna' iPhone exploit kit dey chop BIP39 seed phrases from mobile wallets

Published: 2026-03-05 13:39:48 |

Google’s Threat Analysis Group (TAG) and Threat Intelligence Group (GTIG) don identify “Coruna,” one correct iOS exploit kit wey dem dey use take knack BIP39 seed phrases and other wallet data from iPhones. Coruna pack 23 vulnerabilities across iOS 13.0–17.2.1, including zero-days, and e first show for February 2025. The framework dey fingerprint visitor devices for compromised gambling and fake exchange sites (watering‑hole attacks) and e dey deliver tailored JavaScript exploit chains (WebKit RCE) wey bypass protections make e get system-level access. Once dem deploy am, the kit go scan for wallet apps and artifacts (MetaMask, BitKeep, Uniswap/DEX-related apps, cached QR codes, notes, screenshots) and exfiltrate 12–24 word seed phrases go encrypted command-and-control servers. Google trace the current financially motivated wave to UNC6691, wey look like dem buy the kit after earlier suspected nation-state use (UNC6353). Apple don patch the exploited flaws for iOS 17.3 and later; TAG dey urge make people update quick or enable Lockdown Mode for devices wey no fit upgrade. For traders, the attack raise serious risk to mobile hot wallets and retail users: recommended mitigations include update to iOS 17.3+, enable Lockdown Mode if you no fit update, remove seed phrases from notes/screenshots, and move big funds to hardware wallets wey require physical confirmation. The report show trend: high-end zero-days wey dem dey use for espionage before don become commodity for large-scale crypto theft, this one dey increase phishing/device-compromise risk and e fit cause short-term selling pressure if exploitation spread wide.

Bearish

Coruna dey increase direct risk for crypto holders wey dey use mobile hot wallets by e fit allow seed‑phrase thief through drive‑by watering‑hole attacks. For short term, dis one go raise chance say affected retail users go sell quick or sell during the day as dem lose access to funds or dey try move assets go safer storage, and e go create local downward pressure on liquid tokens wey people dey keep for mobile wallets (ERC‑20 tokens, major altcoins). Immediate market impact fit concentrated and short‑lived: exploited users go sell or try withdraw funds, but big institutional holders no go too affect. For medium to long term, if exploitation widespread e fit shake retail confidence for mobile custody solutions, increase demand for hardware wallets and custodial services and fit reduce speculative flows into smaller‑cap tokens. However, patches for iOS 17.3+ and clear mitigation steps (updates, Lockdown Mode, hardware wallets) dey reduce risk of persistent market decline. Overall, the news dey bearish for short‑term price action among assets wey plenty people hold for vulnerable mobile wallets, while longer‑term effects depend on whether people adopt stronger custody practices.