A range of government hacking tools targeting iPhones are now being used by cybercriminals

Security researchers have identified a set of powerful hacking tools capable of breaching Apple iPhones running outdated software that they say has passed from a government client into the hands of cybercriminals.

Google said Tuesday that it first identified the exploit kit, dubbed Corona, in February 2025 while a monitoring vendor was trying to hack into someone’s phone using spyware on behalf of a government client. Months later, it found the same exploit kit that targeted Ukrainian users in a large-scale campaign carried out by a Russian spy group, and later discovered it was being used by a financially motivated hacker in China.

It’s not clear how the tools leaked or spread, but security researchers at Google have warned of an emerging market for “used” exploits, which are sold to hackers motivated by money to extract more value from the exploit.

The discovery also shows how exploits and backdoors designed for use by governments can leak and, ultimately, be abused by cybercriminals or other non-state actors. iVerify, a mobile security company that acquired and reverse-engineered the hacking tools, said in a blog post that it linked the coronavirus exploit kit to the US government, based on similarities to hacking tools previously attributed to the US.

“The more widespread the use, the more likely a leak will occur,” iVerify said. “Although iVerify has some evidence that this tool is a leaked US government framework, that should not overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Google said the hacking tools are powerful because they can bypass an iPhone’s defenses simply by visiting a malicious website containing the exploit code – such as sending a malicious link – in what is known as a “watering hole” attack. According to Google, the Coruna group can hack an iPhone in five separate ways by drawing on 23 separate vulnerabilities in its digital arsenal and chaining them together. Affected devices range from iPhone models running iOS 13 through 17.2.1, which was released in December 2023.

According to Wired, which first reported the news, the Corona toolkit contains components that were previously used in a hacking campaign dubbed Operation Triangulation. Russian cybersecurity company Kaspersky claimed in 2023 that the US government attempted to hack several of its employees’ iPhones.

While leaking hacking tools is rare, it is not unheard of. In 2017, the US National Security Agency discovered that tools it had developed to hack into Windows computers around the world had been stolen. The Windows backdoor, known as EternalBlue, was later deployed and used by cybercriminals in subsequent attacks, including the 2017 WannaCry ransomware attack by North Korea.

TechCrunch also recently reported on the case of Peter Williams, the former head of US defense contractor L3Harris Trenchant, who was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to an intermediary known to work with the Russian government.

According to prosecutors, Williams sold exploitative software that was able to compromise “millions of computers and devices” worldwide. At least one exploit was sold to a South Korean broker. It is unclear whether these vulnerabilities have been disclosed to software makers, or have been patched.