NextFin News - A sophisticated iPhone hacking toolkit originally commissioned by the U.S. government has leaked into the hands of Chinese and Russian cybercriminals, marking a dangerous shift in the democratization of high-end digital espionage. Research released this week by Google, iVerify, and Lookout reveals that "Coruna," a spyware suite developed by U.S. defense contractor L3Harris, is now being deployed by non-state actors to target civilians through "watering hole" attacks on financial platforms and news sites. The breach represents a collapse of the traditional barrier between state-grade surveillance and common cybercrime, effectively turning tools designed for national security into weapons for extortion and identity theft.
The discovery of Coruna and a related kit dubbed "DarkSword" on the same server suggests a rapid proliferation of exploits that were once the exclusive domain of well-funded intelligence agencies. According to Google researchers, Coruna was initially built for an unnamed government customer before being repurposed by a Chinese cybercriminal group to infect iPhones visiting fake cryptocurrency and financial platforms. These attacks require no user interaction—no clicks, no downloads—exploiting vulnerabilities in the iOS architecture to siphoning off iMessages, WhatsApp history, location data, and browser cookies. The ease with which these tools have migrated from classified labs to criminal forums underscores a systemic failure in the oversight of the commercial spyware industry.
The trail of the leak leads back to Trenchant, a division of L3Harris. TechCrunch reported that Peter Williams, the former general manager of Trenchant, pleaded guilty in late 2025 to stealing trade secrets and selling zero-day exploits to a Russian broker. This internal compromise appears to have been the catalyst for the current crisis. While L3Harris developed these tools for Western governments, the subsequent sale of the underlying code has allowed groups with significantly lower technical capabilities to launch devastating attacks. Justin Albrecht, Lookout’s director of mobile threat intelligence, noted that the developers of DarkSword likely used large language models to assist in their operations, indicating that AI is now being used to bridge the gap for less-skilled hackers using stolen high-end code.
Apple has responded by patching the specific vulnerabilities exploited by Coruna and DarkSword, but the sheer volume of legacy devices remains a critical weakness. Although Apple spokesperson Sarah O'Rourke emphasized that the company’s security teams work "tirelessly" and have issued emergency updates for older operating systems, the reality for the average user is increasingly grim. The "watering hole" nature of these attacks—infecting Ukrainian news sites and financial portals—means that any iPhone user, not just high-value political targets, is now at risk. iVerify’s research indicates that even Apple’s "Lockdown Mode," designed to thwart state-level hacking, would only have partially blocked the DarkSword exploit.
The economic incentives of the spyware market have created a self-sustaining ecosystem of exploitation. As U.S. President Trump’s administration continues to navigate the complexities of defense contracting, the Coruna leak serves as a stark reminder that digital weapons cannot be easily contained. Unlike a physical missile, a line of code can be copied and sold infinitely. The transition of these tools from "spies to thugs" suggests that the premium once placed on iPhone security is being eroded by a global surplus of mobile exploits. For the global financial sector and individual users alike, the era where iPhone malware was a rare, targeted phenomenon has ended, replaced by a landscape where state-grade surveillance is just another tool in the cybercriminal's kit.
Explore more exclusive insights at nextfin.ai.
