iPhone Users Warned: Crypto frauds Can Trigger | Crypto News
Google’s Threat Intelligence Group (GTIG) is warning that a “new and powerful” iOS exploit equipment, dubbed Coruna by its builders has been deployed on faux finance and crypto web sites designed to lure iPhone customers into visiting pages that can silently ship exploits. For crypto holders, the risk is blunt: GTIG’s analysis reveals the campaigns finally targeted on harvesting seed phrases and pockets data from standard cellular apps.
Coruna targets Apple devices operating iOS 13.0 through iOS 17.2.1, bundling 5 full exploit chains and 23 exploits. GTIG says it recovered the equipment after monitoring its evolution across 2025, from early use by a buyer of a industrial surveillance company, to “watering hole” assaults on compromised Ukrainian web sites, and finally to broad-scale distribution via Chinese-language rip-off websites tied to a financially motivated actor it tracks as UNC6691.
A Crypto Lure Designed For iPhones
In the scam-wave part, GTIG says it noticed the JavaScript framework behind Coruna deployed across a “very large set” of faux Chinese web sites largely themed around finance. One instance cited by GTIG is a faux WEEX-branded crypto exchange web page that tried to push guests onto an iOS gadget—after which a hidden iFrame can be injected to ship the exploit equipment “regardless of their geolocation.”
The supply mechanics matter because they blur the road between conventional phishing and outright gadget compromise: in GTIG’s telling, merely arriving on the booby-trapped web page from a weak iPhone was enough to start the chain. The framework fingerprints the gadget to establish model and iOS model, then masses the suitable WebKit distant code execution exploit and a pointer authentication (PAC) bypass.
GTIG tied one WebKit RCE it recovered to CVE-2024-23222, noting it was addressed by Apple in iOS 17.3 on Jan. 22, 2024.
At the end of the chain, GTIG says Coruna drops a stager it calls PlasmaLoader (tracked as PLASMAGRID) and describes it as targeted less on basic surveillance options and more on stealing financial info. According to GTIG, the payload can decode QR codes from pictures saved on the gadget and scan textual content blobs for BIP39 phrase sequences, along with key phrases such as “backup phrase” and “bank account”, including in Apple Memos, which it might then exfiltrate.
The payload is also modular. GTIG says it might pull down and run further modules remotely, and that many of the recognized modules are designed to hook capabilities and exfiltrate delicate info from common crypto pockets apps—among them MetaMask, Trust Wallet, Uniswap’s pockets, Phantom, Exodus, and TON ecosystem wallets such as Tonkeeper.
The broader arc was also flagged by cellular security firm iVerify, which revealed its own findings around the same time as GTIG’s report. “And that’s exactly what happened again here, but on mobile devices. Phone OEMs do as good a job as anyone can do…”
What Crypto Users Can Do Now
Google says Coruna “is not effective against the latest version of iOS,” and urges customers to update. If updating isn’t doable, GTIG recommends enabling Apple’s Lockdown Mode. GTIG also says it added the recognized web sites and domains to Google Safe Browsing to help cut back additional publicity.
For crypto-native customers, the rapid takeaway is sensible: cellular wallets sit at the intersection of high-value belongings and high-frequency web visitors, which makes “visit-to-compromise” campaigns uniquely harmful. GTIG’s reporting suggests the rip-off funnel wasn’t just about getting victims to join wallets, it was about getting them onto the suitable gadget, on the suitable iOS model, so exploitation might do the remaining.
At press time, the full crypto market cap stood at $2.45 trillion.
Stay up to date with the latest trending crypto news! Visit our web site daily for the freshest Crypto news and content, fastidiously curated to keep you informed.
