When Google security researchers first spotted the Coruna exploit kit in February 2025, they thought they were watching a typical surveillance operation. A vendor was trying to hack into an iPhone on behalf of a government customer. Nothing unusual there, or so it seemed. But then something strange happened. The same tools started showing up in Russian espionage campaigns targeting Ukraine. Later, they appeared in attacks by financially motivated hackers in China.
The toolkit had escaped. And once it did, there was no getting it back.
Google and mobile security company iVerify have now published research suggesting that Coruna originated from the US government. The exploit kit is weaponized enough to compromise iPhones running iOS versions up to 17.2.1, which means millions of devices are potentially vulnerable. What’s worse? Nobody really knows how many hands these tools have passed through by now.
When Government Tools Go Rogue
This isn’t the first time we’ve seen government-built hacking tools leak into the wild. Back in 2017, the NSA’s EternalBlue exploit surfaced on the internet after being stolen. Cybercriminals immediately weaponized it, and within months it became the backbone of the WannaCry ransomware attack that crippled hospitals and businesses worldwide. The damage was staggering.
But here’s what makes Coruna different. The leak seems to have spawned what security researchers are calling a “secondhand exploit market.” Hackers are buying and selling these tools to extract maximum value. It’s like discovering that a master lockpick you designed for a specific job has become a commodity that anyone with enough cash can purchase.
iVerify’s research team reverse-engineered the tools and found 23 separate vulnerabilities chained together. The kit works through watering hole attacks, meaning victims just need to visit a malicious website or click a bad link. That’s disturbingly simple for how much damage it can do.
The Pattern We Keep Ignoring
There’s a pattern here worth paying attention to. Peter Williams, the former head of L3Harris Trenchant’s defense division, was recently sentenced to over seven years in prison for stealing and selling eight exploits to Russian government brokers. Those exploits could potentially compromise millions of devices worldwide. Nobody knows if they were ever patched by software makers.
The point isn’t just that bad people steal things. It’s that once a government-grade hacking tool exists, keeping it secret becomes nearly impossible. Every person with access becomes a potential leak vector. Every foreign intelligence service becomes a potential target for theft. Every disgruntled employee becomes a security risk.
“The more widespread the use, the more certain a leak will occur,” iVerify warned in their research. It’s not a prediction. It’s a law of nature applied to cybersecurity.
What This Actually Means for Your Phone
If you’re using an iPhone with iOS 17.2.1 or older, congratulations, you’re potentially vulnerable to Coruna. But panicking won’t help much. What matters is updating your device the moment Apple releases patches. Apple hasn’t publicly disclosed the specific vulnerabilities yet, but they will need to at some point.
The bigger issue is what this tells us about the relationship between Technology and national security. Governments want to build powerful hacking tools. Private companies want to sell surveillance solutions. But once those tools exist, they become targets. They leak. They spread. They get used by people for whom they were never intended.
The Coruna case is particularly interesting because it reveals something uncomfortable about how exploitation works. These aren’t tools that were carelessly left behind. They were actively proliferated through multiple threat actors. Someone moved them from one set of hands to another, probably more than once. That suggests coordination or at least organized markets for this kind of thing.
Google’s researchers found evidence connecting Coruna to previous US government hacking campaigns. iVerify came to similar conclusions independently. Yet the official story remains vague. Details matter less than the larger point: the tools got out, and now they’re being used by Russia, China, and financially motivated criminals.
The Uncomfortable Truth
We’re now living in a world where the line between state-sponsored and criminal hacking has become almost meaningless. The tools are the same. The vulnerabilities are the same. The victims are the same. The only difference is who’s paying and what they want from the data they steal.
This also raises questions about disclosure. If the US government was using these vulnerabilities to hack iPhones, was Apple notified? Were the bugs ever reported through proper channels, or did they remain secret until they leaked? These are the kinds of questions that governments prefer not to answer.
The historical record suggests we’ll keep seeing government hacking tools leak into criminal and hostile hands. It happened with EternalBlue. It happened with tools stolen by Peter Williams. It’s happening with Coruna. The pattern is consistent, and nothing structural has changed to prevent it from happening again.
Maybe the real question isn’t how to prevent these leaks. Maybe it’s whether governments should be building tools this powerful in the first place, knowing that eventually they’ll escape and be turned against civilians and critical infrastructure alike.
