The iPhone hacking kit used by Russian spies likely came from a US military contractor

A mass hacking campaign targeting iPhone users in Ukraine and China used tools likely designed by US military contractor L3Harris, TechCrunch has learned. The tools, which were intended for Western spies, ended up in the hands of various hacking groups, including Russian government spies and Chinese cybercriminals.

Last week, Google revealed that it had discovered over the course of 2025 that a sophisticated toolkit had been used to hack iPhones in a series of global attacks. The toolkit, dubbed “Corona” by its original developer, consists of 23 different components that were first used “in highly targeted operations” by an unnamed government client of an unspecified “surveillance vendor.” It was then used by Russian government spies against a limited number of Ukrainians, and finally by Chinese cybercriminals “in large-scale campaigns” aiming to steal money and cryptocurrencies.

Researchers at mobile cybersecurity company iVerify, which independently analyzed Corona, said they believe it may have originally been built by a company that sold it to the US government.

Two former employees of government contractor L3Harris told TechCrunch that the coronavirus was developed, at least in part, by the company’s hacking and surveillance technology division, Trenchant. The former employees had knowledge of the company’s iPhone hacking tools. Both spoke on condition of anonymity because they are not allowed to talk about their work at the company.

“Corona was definitely an internal name for a component,” said one former L3Harris employee, who was familiar with iPhone hacking tools as part of their work at Trenchant.

“Given the technical details, a lot of it is familiar,” this person said, referring to some evidence published by Google.

The former employee said Trenchant’s comprehensive toolkit included several different components, including the coronavirus and related malware. Another former employee confirmed that some of the details in the published hacking kit came from Trenchant.

L3Harris sells Trenchant’s hacking and surveillance tools exclusively to the US government and its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand and the UK. Given Trenchant’s limited number of agents, it is likely that Coruna was originally acquired and used by one of these governments’ intelligence agencies before falling into unwitting hands, although it is unclear how much of the published Coruna hacking toolkit was developed by L3Harris Trenchant.

A L3Harris spokesperson did not respond to a request for comment.

It is unclear how Corona passed from the hands of a government contractor from the Five Eyes organization to a Russian government hacking group, and then to a Chinese cybercrime gang.

But some of the circumstances appear similar to that of Peter Williams, a former managing director at Trenchant. From 2022 until his resignation in mid-2025, Williams sold eight of the company’s hacking tools to Operation Zero, a Russian company that offers millions of dollars for zero-day exploits, meaning there were vulnerabilities unknown to the affected vendor.

Williams, a 39-year-old Australian citizen, was sentenced to seven years in prison last month after he admitted stealing and selling the eight Trenchant hacking tools to Operation Zero for $1.3 million.

The US government said Williams, who exploited “full access” to Trenchant’s networks, “betrayed” the United States and its allies. Prosecutors accused him of leaking tools that could have allowed those who used them “to potentially gain access to millions of computers and devices around the world,” suggesting that the tools relied on vulnerabilities affecting widely used software such as iOS.

Operation Zero, which was approved by the US government last month, claims to work exclusively with the Russian government and local companies. The US Treasury Department claimed that the Russian intermediary sold “stolen Williams tools to at least one unauthorized user.”

This would explain how the Russian spy group, identified by Google only as UNC6353, acquired Corona and spread it to hacked Ukrainian websites so that it could hack some iPhone users from a specific geographical location who had unwittingly visited the malicious site.

It is possible that once Operation Zero acquires Corona and potentially sells it to the Russian government, the intermediary then resells the toolkit to someone else, perhaps another intermediary, another country, or even directly to cybercriminals. The Treasury Department alleged that a member of the Trickbot Ransomware gang worked with Operation Zero, linking the broker to financially motivated hackers.

At that point, Corona may have passed into other hands until it reached Chinese hackers. According to US prosecutors, Williams identified the code he wrote and sold for Operation Zero which was later used by a South Korean intermediary.

Triangulation process

Two specific coronavirus vulnerabilities and core vulnerabilities, called Photon and Gallium by the original developers, were used as zero-days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users, Google researchers wrote on Tuesday. The triangulation process was first revealed by Kaspersky in 2023.

Rocky Cole, co-founder of iVerify, told TechCrunch that “the best explanation based on what is known now” suggests that Trenchant and the US government were the original developers and customers of Coruna. Although Cole added that he is not claiming this “definitively.”

He added that this evaluation depends on three factors. He said the timeline for Corona’s use is consistent with Williams’ leaks, and the structure of three units – plasma, photon, and gallium – found in Corona bears strong similarities to triangulation, and Corona reused some of the same exploits used in that process.

According to Cole, “people close to the defense community” claim that plasma was used in the triangulation process, “although there is no public evidence of this.” (Cole previously worked for the US National Security Agency.)

According to Google and iVerify, Coruna was designed to compromise iPhone models running iOS 13 through 17.2.1, released between September 2019 and December 2023. These dates align with the timeline of some of Williams’ leaks, and the triangulation discovery.

One former Trenchant employee told TechCrunch that when Triangulation was first revealed in 2023, other employees at the company believed that at least one of the zero days captured by Kaspersky “was from us, and was likely ‘cut’ from” the overall project that included Corona.

Another path to Trenchant – as pointed out by security researcher Costin Rayo – is the use of bird names for some of the 23 tools, such as Cassowary, Terrorbird, Bluebird, Jacurutu and Sparrow. In 2021, The Washington Post revealed that Azimuth, one of two startups that L3Harris later acquired and merged into Trenchant, sold a hacking tool called Condor to the FBI in the infamous San Bernardino iPhone hacking case.

After Kaspersky published its research on the triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, targeting diplomats in particular. A Kaspersky spokesperson said at the time that the company had no information about the FSB allegations. The spokesperson noted that the “compromise indicators” – that is, evidence of compromise – identified by the Russian National Coordination Center for Computer Incidents (NCCCI) are the same indicators identified by Kaspersky.

“Despite our extensive research, we are unable to attribute the triangulation to any known process,” Boris Larin, a security researcher at Kaspersky, told TechCrunch in an email. [Advanced Persistent Threat] Collection or exploitation of the development company.

Larin explained that Google linked Corona to the triangulation process because they both exploit the same two weaknesses – the photon and gallium.

“Attribution cannot be based solely on the fact that these vulnerabilities were exploited. All the details of these two vulnerabilities have been publicly available for a long time,” he added, and thus anyone could have benefited from them, adding that these two shared vulnerabilities are “just the tip of the iceberg.”

Kaspersky has never publicly accused the US government of being behind the triangulation. Curiously, the logo the company created for the campaign – an Apple logo consisting of several triangles – is reminiscent of the L3Harris logo. It may not be a coincidence. Kaspersky has previously said it would not publicly attribute a hacking campaign while quietly indicating that it already knew who was behind it, or who provided the tools for it.

In 2014, Kaspersky announced that it had captured a sophisticated and elusive government hacking group known as “Careto” (Spanish for “mask”). The company said only that the hackers spoke Spanish. But the mask illustration the company used in its report included the red and yellow colors of the Spanish flag, bull horns and nose ring, and castanets.

As TechCrunch revealed last year, Kaspersky researchers privately concluded that “there is no doubt,” as one of them put it, that Careto was run by the Spanish government.

On Wednesday, cybersecurity journalist Patrick Gray said on an episode of his Risky Business podcast that he believed — based on “bits and pieces” he was confident — that what Williams leaked to Operation Zero was the hacking kit used in the triangulation campaign.

Apple, Google, Kaspersky, and Operation Zero did not respond to requests for comment.