Critical Google Warning: ‘Coruna’ iPhone Exploit Targets Crypto Wallets
MOUNTAIN VIEW, Calif. — March 15, 2026: Google’s Threat Analysis Group (TAG) issued an urgent security bulletin today warning iPhone users of a sophisticated new exploit dubbed ‘Coruna’ that specifically targets cryptocurrency wallets stored on iOS devices. The vulnerability, discovered during routine surveillance of commercial spyware vendors, allows attackers to bypass Apple’s security sandbox and drain digital asset wallets without user interaction. Google researchers confirmed active exploitation attempts targeting high-net-worth individuals in at least three countries over the past 72 hours. This Coruna iPhone exploit crypto wallets threat represents one of the most targeted mobile cryptocurrency attacks documented to date, according to the TAG report published this morning.
Google’s TAG Reveals Coruna Exploit Technical Details
Google’s elite Threat Analysis Group, led by director Shane Huntley, published technical analysis showing the Coruna exploit chain leverages three zero-day vulnerabilities in iOS 18.2’s WebKit rendering engine and IOKit kernel framework. Huntley stated in the bulletin, “The exploit requires no user interaction beyond visiting a compromised website, making it particularly dangerous for cryptocurrency users who might access wallet management interfaces through mobile browsers.” The TAG team first detected suspicious activity on February 28, 2026, with confirmed attacks beginning March 12. According to their telemetry, the exploit achieves kernel-level privileges within 47 seconds of initial infection, then searches for specific cryptocurrency wallet applications and browser extensions.
Technical documents obtained by security researchers show the exploit uses a novel JavaScript engine corruption technique combined with a kernel memory leak to bypass Pointer Authentication Codes (PAC), Apple’s primary defense against memory corruption attacks. Once established, Coruna establishes persistence through a hidden iOS profile and begins monitoring for cryptocurrency-related application activity. The malware specifically targets wallet applications including MetaMask, Trust Wallet, Phantom, and Coinbase Wallet, along with any browser-based wallet interfaces. Google has shared all technical indicators with Apple’s security team, who are developing patches expected within the next 7-10 days.
How the Coruna Exploit Drains Cryptocurrency Assets
The Coruna attack demonstrates unprecedented sophistication in mobile cryptocurrency theft, according to blockchain security firm CertiK, which analyzed sample attack patterns. Unlike previous mobile wallet attacks that required phishing or social engineering, Coruna operates silently after initial infection. The malware employs several techniques to bypass common security measures. First, it captures seed phrases and private keys through memory scraping when users unlock their wallets. Second, it intercepts transaction confirmations, replacing legitimate recipient addresses with attacker-controlled addresses while displaying the original address to the user. Third, it monitors clipboard activity for cryptocurrency addresses, a common user behavior when transferring funds.
- Seed Phrase Extraction: The exploit reads wallet application memory to extract unencrypted seed phrases during normal operation, bypassing iOS sandbox restrictions through the kernel vulnerability.
- Transaction Manipulation: By hooking into the WebView components used by many wallet applications, Coruna can modify transaction details in real-time without triggering security alerts.
- Persistent Surveillance: Once installed, the malware establishes continuous monitoring for new wallet installations and cryptocurrency-related activity, maintaining access even after device reboots.
Security Experts Warn of Sophisticated Attack Campaign
Dr. Sarah Chen, Chief Security Officer at blockchain analytics firm Chainalysis, confirmed her team has observed related attack patterns. “We’ve traced approximately $2.3 million in cryptocurrency thefts over the past week that match the Coruna exploit’s behavior patterns,” Chen stated in an interview. “The attacks appear highly targeted, focusing on individuals with wallet balances exceeding $50,000. This isn’t random malware—it’s surgical financial theft.” Chen’s analysis shows victims primarily in the United States, South Korea, and Germany, with Ethereum and Solana assets being the most frequently stolen. The European Union Agency for Cybersecurity (ENISA) has issued a separate advisory warning financial institutions about the exploit’s potential to compromise corporate cryptocurrency holdings managed on mobile devices.
Comparing Coruna to Previous Mobile Cryptocurrency Threats
The Coruna exploit represents an evolution in mobile cryptocurrency attack methodology. Previous attacks relied on social engineering, fake applications, or less sophisticated technical approaches. The table below illustrates key differences between Coruna and notable historical mobile cryptocurrency threats, highlighting why security researchers consider this exploit particularly dangerous.
| Exploit Name | Year Discovered | Primary Method | Estimated Losses |
|---|---|---|---|
| Coruna (Current) | 2026 | Zero-day iOS vulnerability chain | $2.3M+ (first week) |
| Fake Trezor App | 2024 | Malicious App Store impersonation | $1.7M total |
| Clipboard Hijacker | 2023 | Android malware monitoring clipboard | $850K total |
| iMessage Phishing | 2025 | Social engineering via iMessage | $1.2M total |
According to data from cybersecurity firm Kaspersky, mobile cryptocurrency theft increased by 300% between 2023 and 2025, with iOS devices becoming increasingly targeted as Android security improved. The Coruna exploit’s technical sophistication suggests a well-funded development team, likely associated with a nation-state or sophisticated cybercrime organization. Historical context shows similar exploit chains have sold for between $1.5 million and $3 million on underground markets, according to threat intelligence firm Recorded Future.
Immediate Protective Measures and Apple’s Response Timeline
Google’s TAG recommends immediate protective actions while awaiting Apple’s official patch. iPhone users should avoid accessing cryptocurrency wallet interfaces through Safari or other browsers until iOS 18.2.1 releases. Instead, users should rely exclusively on hardware wallets disconnected from their phones or use dedicated desktop computers for cryptocurrency transactions. Additionally, users should disable JavaScript in Safari settings as a temporary mitigation, though this will break many legitimate websites. For those who suspect infection, a complete device wipe and restoration from a backup dated before March 1, 2026, is recommended, followed by changing all cryptocurrency wallet seeds and passwords from a secure device.
Cryptocurrency Community and Developer Reactions
The cryptocurrency development community has responded with urgency. MetaMask announced it would release an emergency update to its iOS application within 24 hours implementing additional runtime integrity checks. “Our team is working around the clock to implement defensive measures that can detect and block Coruna’s memory access patterns,” said MetaMask lead developer Dan Finlay in a community update. Meanwhile, the Solana Foundation issued a security alert to its developer ecosystem, recommending temporary pauses on mobile dApp interfaces. On social media platform X, cryptocurrency investors expressed widespread concern, with many reporting they would transition exclusively to hardware wallets until the threat subsides. Blockchain security audit firms like OpenZeppelin have begun offering free security reviews for mobile cryptocurrency applications in response to the exploit’s discovery.
Conclusion
The Coruna iPhone exploit warning from Google represents a critical moment for mobile cryptocurrency security. This sophisticated attack chain demonstrates how advanced vulnerabilities can directly threaten digital assets, bypassing years of mobile security improvements. While Apple works on patches and cryptocurrency developers implement additional protections, users must take immediate precautions to secure their holdings. The incident underscores the ongoing cat-and-mouse game between security researchers and sophisticated attackers in the cryptocurrency space. As mobile devices become increasingly central to digital asset management, expect both attacks and defenses to grow more sophisticated. Monitor official channels from Apple, Google, and your wallet providers for updates, and consider this exploit a reminder that even the most secure platforms require constant vigilance in the cryptocurrency ecosystem.
Frequently Asked Questions
Q1: What is the Coruna iPhone exploit and how does it work?
The Coruna exploit is a chain of zero-day vulnerabilities in iOS 18.2 that allows attackers to gain kernel-level access to iPhones. Once installed through a compromised website, it searches for cryptocurrency wallet applications and extracts seed phrases, private keys, and manipulates transactions without user knowledge.
Q2: How much cryptocurrency has been stolen using the Coruna exploit so far?
Blockchain analytics firm Chainalysis has confirmed approximately $2.3 million in thefts matching Coruna’s patterns during the first week of observed attacks. The actual total may be higher as investigations continue.
Q3: When will Apple release a patch for the Coruna vulnerability?
Apple is developing patches expected within 7-10 days of Google’s disclosure (March 15, 2026). The update will likely be iOS 18.2.1, which users should install immediately upon release.
Q4: What should iPhone users do to protect their cryptocurrency right now?
Immediately stop accessing cryptocurrency wallets through iPhone browsers. Use hardware wallets disconnected from your phone or switch to a secure desktop computer for all transactions. Disable JavaScript in Safari as a temporary measure and monitor for iOS updates.
Q5: Does the Coruna exploit affect Android devices or only iPhones?
Currently, Coruna specifically targets iOS vulnerabilities. However, security researchers warn that similar exploit chains could be developed for Android, and users of all mobile platforms should practice heightened security with cryptocurrency applications.
Q6: How can cryptocurrency developers protect their applications from Coruna-like exploits?
Developers should implement runtime application self-protection (RASP), memory encryption for sensitive data, and integrity checks that detect kernel-level tampering. Many wallet developers are releasing emergency updates with these additional protections.
This article was produced with AI assistance and reviewed by our editorial team for accuracy and quality.
