A major hacking tool has leaked online, putting millions of iPhones at risk. Here’s what you need to know

Security researchers have uncovered a series of cyberattacks targeting Apple customers around the world. The tools used in these hacking campaigns have been dubbed Coruna and DarkSword, and have been used by government spies and cybercriminals to steal data from people’s iPhones and iPads.

It’s rare to see large-scale hacks targeting iPhone and iPad users. In the past decade, the only precedents have been attacks against Uyghur Muslims in China, and against people in Hong Kong.

Now, some of these powerful hacking tools have leaked online, potentially putting hundreds of millions of iPhones and iPads running outdated software at risk of data theft.

We explain what we know and don’t know about the latest iPhone and iPad hacking threats, and what you can do to stay protected.

What are Corona and DarkSword?

Coruna and DarkSword are two sets of advanced hacking tools that each contain a set of exploits capable of breaking into iPhones and iPads, stealing a person’s data, such as their messages, browser data, location history, and cryptocurrencies.

Security researchers who discovered the toolkits say the Corona vulnerabilities can compromise iPhones and iPads running iOS 13 through iOS 17.2.1, which was released in December 2023.

However, DarkSword contains exploits capable of compromising iPhones and iPads running newer devices running iOS 18.4 and 18.7, which were released in September 2025, according to Google security researchers investigating the code.

But the threat posed by DarkSword is more pressing to the general public. Someone leaked part of DarkSword and posted it on the code-sharing site GitHub, making it easier for anyone to download malicious code and launch their own attacks targeting Apple users running older versions of iOS.

How do Corona and DarkSword work?

These types of attacks are considered random and dangerous by definition, because they can catch anyone visiting a particular website hosting malicious code.

In some cases, victims can be hacked simply by visiting a legitimate website that is controlled by malicious hackers.

When victims are initially infected, both Coruna and DarkSword exploit several vulnerabilities in iOS that allow hackers to gain virtually full control of a target’s device, allowing them to steal a person’s private data. The data is then uploaded to a web server run by the hackers.

At least some parts of the Coruna toolkit, as TechCrunch previously reported, were originally developed by Trenchant, the hacking and spyware unit within US defense company L3Harris, which sells exploit software to the US government and its top allies.

Kaspersky also linked two of the exploits in the Coruna toolkit to Operation Triangulation, a sophisticated and likely government-led cyberattack allegedly carried out against Russian iPhone users.

After Trenchant developed the coronavirus — somehow, it’s not clear how — these exploits found their way into the hands of Russian spies and Chinese cybercriminals, perhaps through one or more intermediaries selling exploits on the underground market.

The Corona travels show once again that powerful hacking tools, including those developed for the United States under strict confidentiality restrictions, can leak and spread out of control.

One example of this was in 2017 when an exploit developed by the US National Security Agency, which was able to remotely hack Windows computers around the world, leaked online. The same exploit was then used in the devastating WannaCry ransomware attack, which randomly compromised hundreds of thousands of computers around the world.

In the case of DarkSword, researchers observed attacks targeting users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. It remains unclear who originally developed DarkSword, how it ended up with different hacking groups, or how the tools were leaked online.

It’s not clear who leaked it and posted it online on GitHub, or for what reason.

The hacking tools, seen by TechCrunch, are written in the web languages ​​HTML and JavaScript, making them relatively easy to configure and self-host anywhere by anyone who wants to launch malicious attacks. (TechCrunch is not affiliated with GitHub where the tools could be used in malicious attacks.) Researchers publishing on X have already tested the leaked tools by hacking their own Apple devices running vulnerable versions of the company’s software.

DarkSword is now “basically plug-and-play,” Justin Albrecht, principal researcher at mobile security company Lookout, explained to TechCrunch.

GitHub told TechCrunch that it has not removed the leaked code, but will preserve it for security research.

“GitHub’s Acceptable Use Policies prohibit posting content that directly supports illegal active attacks or malware campaigns that cause technical damage,” Jesse Geraci, a cyber safety advisor at GitHub, told TechCrunch. “However, we do not prohibit publishing source code that could be used to develop malware or exploits, as publishing and distributing such source code has educational value and provides a net benefit to the security community.”

Is my iPhone or iPad vulnerable to DarkSword?

If you have an outdated iPhone or iPad, you should consider updating right away.

Apple told TechCrunch that users using the latest versions from iOS 15 to iOS 26 are already protected.

According to iVerify: “We highly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities exploited in these attack chains.”

According to Apple’s own statistics, nearly one in three iPhone and iPad users still aren’t using the latest iOS 26 software. This means there are potentially hundreds of millions of devices vulnerable to these hacking tools, with Apple touting more than 2.5 billion active devices worldwide.

What if I can’t or don’t want to upgrade to iOS 26?

Apple also said that devices running Lockdown Mode, an additional security feature first introduced in iOS 16, also blocks these specific attacks.

Lockdown mode is useful for journalists, dissidents, human rights activists, and anyone who believes they may be targeted because of their identity or the work they do.

Although the security situation is not perfect, there is no public evidence that hackers have yet been able to bypass its protections. (We asked Apple if this claim is still true, and will update if we hear back.) Lockdown mode turns out to have prevented at least one attempt to plant spyware on a human rights defender’s phone.