Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
The time of presumed invulnerability for iPhone users engaged in mobile crypto trading has come to an end. A sophisticated new threat, known as the ‘Coruna exploit kit’, is currently exploiting 23 distinct iOS vulnerabilities to circumvent Apple’s robust security measures and deplete crypto wallets.
A recent report from Google TAG reveals that the kit does more than just crash applications or display advertisements. It discreetly searches for BIP39 seed phrase theft, retrieves QR codes, and extracts private keys from devices that have not been updated. The funds are lost before the user becomes aware that their browser has been compromised.
#Big #Breaking #Coruna Exploit Kit #Targeting iOS for Crypto Theft
Confirmed & Analyzed
pic.twitter.com/fOsWmLGxIK
— Crypto Analyst (@shuklarewa9082) March 5, 2026
This is significant. For many years, complex exploit chains were the exclusive territory of nation-state intelligence agencies. Coruna signifies a disturbing shift: tools designed for state-level surveillance have been repurposed for widespread retail theft.
This warning regarding iPhone crypto wallets comes in light of Chainalysis reporting in 2025 that the market for crypto theft exceeds $75 billion, with wallet drainers constituting a substantial portion of that total.
(SOURCE: CoinGecko)
How Coruna Exploits 23 iOS Vulnerabilities to Drain Crypto Wallets
The Coruna exploit kit represents a highly effective “1-click” attack that activates when a user accesses a compromised website, often masquerading as a gambling or news site.
It exploits vulnerabilities in WebKit to infiltrate the device, subsequently employing local privilege escalation exploits to escape the browser’s sandbox environment.
Examining iOS versions 13.0 to 17.2.1, Coruna utilizes multiple entry points to deploy a crypto wallet drainer aimed at stealing blockchain assets.
It scans the file system for cryptocurrency-related strings, inspects the photo library for QR codes, and retrieves mnemonic phrases from the Notes application.
This automated exploitation can lead to immediate and irreversible asset theft, necessitating vigilance from any iPhone user who utilizes their device for crypto trading and asset storage.
DISCOVER: Next Crypto to Explode in 2026
State-Grade Malware Goes Mass Market
Related Posts
Historically, exploit chains of this sophistication were controlled by organizations like NSO Group for the targeted surveillance of high-profile individuals—dissidents, journalists, or diplomats.
Coruna alters this narrative. It repurposes vulnerabilities utilized in operations such as Operation Triangulation, a suspected state-sponsored initiative, and distributes them to financially motivated criminal organizations.
The threshold for executing a complex MetaMask hack or draining a Trust Wallet has significantly lowered, enabling even the least experienced tech users to perform such actions.
This follows a concerning trend where tools originally developed for espionage inevitably infiltrate the wider cybercriminal landscape. The perpetrators behind Coruna are not seeking state secrets; they are after liquidity.
This represents large-scale theft. The iVerify security firm has documented the exploit impacting at least 42,000 devices, with total losses yet to be disclosed.
BREAKING: New “Coruna” iOS Exploit Targets Crypto Wallets!
Apple users, stop being exit liquidity! “Coruna” packs 23 exploits for 3 targets: 1) iOS 13-17.2.1 users 2) MetaMask/Uniswap degens 3) Phishing link clickers.
Open a site, and it auto-scans for your seed phrases.pic.twitter.com/zE2ZBmdtuD
— Vortex (@Vortex_Quant) March 5, 2026
Who Is Being Targeted and Why Mobile Crypto Traders Are Especially Exposed
If you engage in trading on mobile devices and maintain self-custody wallets, you fit the target profile. The attack vectors are frequently embedded in websites that crypto users visit: unregulated gambling platforms, questionable token claim pages, and unofficial app stores.
The malware specifically targets data directories linked to major non-custodial wallets. It seeks out the encrypted vaults of MetaMask, BitKeep (now Bitget Wallet), and Trust Wallet. If the encryption is inadequate, or if the user has saved the password in a compromised keychain or note, the wallet may be drained.
The risk is heightened by user behavior. Mobile traders often engage with DApps and authorize transactions while on the move, frequently prioritizing speed over security practices.
Coruna takes advantage of this negligence. It does not need to deceive you into authorizing a harmful transaction; it simply steals the keys to your assets while you browse.
For the time being, exercise caution and consider transferring your crypto assets to cold wallet storage solutions, such as a Ledger or Trezor.
EXPLORE: Best Crypto Presales to Buy in 2026
The post iPhone Crypto Wallets Under Attack from State-Grade Malware appeared first on Cryptonews.
