IPhone Exploit Kit Targeting Crypto Wallets: State-Grade Malware And Tycoon 2FA Takedown

Google’s Threat Intelligence Group has confirmed a sophisticated iPhone exploit kit, dubbed “Coruna,” is actively targeting cryptocurrency wallet users across iOS versions 13.0 through 17.2.1. The kit chains together 23 vulnerabilities across five exploit sequences to silently extract seed phrases, private keys, and QR codes from compromised devices. Separately, a coalition led by Coinbase, Microsoft, and Europol dismantled Tycoon 2FA, a phishing-as-a-service platform responsible for 62% of MFA-bypass attempts Microsoft blocked by mid-2025.

How Coruna Works

Coruna operates as a “one-click” attack. A user visits a compromised website, often disguised as a gambling platform, token claim page, or crypto news site, and the kit silently takes over. It first exploits WebKit vulnerabilities to breach the browser, then escalates privileges to escape the sandbox entirely. From there, it scans the file system for cryptocurrency-related strings, searches the photo library for wallet QR codes, and pulls mnemonic phrases from the Notes app.

The malware explicitly targets data directories associated with MetaMask, Trust Wallet, and Bitget Wallet. Security firm iVerify documented infections across at least 42,000 devices. Google researchers first detected Coruna in February 2025, initially tracking its use by a suspected Russian espionage group operating against Ukrainian targets. The toolkit subsequently migrated into financially motivated campaigns, including fake Chinese crypto websites engineered purely to drain wallets.

That trajectory matters. Tools previously confined to nation-state operations, comparable in sophistication to NSO Group’s Pegasus infrastructure and the methods seen in Operation Triangulation, are now circulating within broader criminal networks. The barrier to executing a high-quality crypto wallet attack has collapsed significantly.

Market OverviewTop 10 by market cap

1Bitcoin BTC$63,912.00▲0.62%

2Ethereum ETH$1,676.92▲0.55%

3Tether USDT$0.9994▲0.05%

4BNB BNB$606.68▲0.27%

5USDC USDC$0.9998▲0.00%

6XRP XRP$1.15▲0.91%

7Solana SOL$67.82▲1.43%

8TRON TRX$0.3167▲1.56%

9Figure Heloc FIGR_HELOC$1.03▲0.07%

10Dogecoin DOGE$0.0878▲0.85%

Prices via CoinGecko · Updated 3 min ago

Who Is at Risk

Mobile traders operating self-custody wallets on unpatched iPhones represent the clearest target profile. Key risk factors include:

• Running iOS 13.0 through 17.2.1 without the latest security patches
• Storing seed phrases or passwords in Notes or the device keychain
• Interacting with DApps or signing transactions through mobile browsers
• Visiting unregulated gambling interfaces or third-party token claim pages

Chainalysis data from 2025 placed the broader crypto theft market at over $75 billion, with wallet drainers contributing a substantial share of that figure. Coruna is engineered to feed directly into that pipeline.

Tycoon 2FA Takedown Adds Context

The Coruna disclosure arrives alongside a separate enforcement action that underscores how industrialized crypto-targeted cybercrime has become. Europol announced Wednesday that Microsoft blocked 330 domains linked to Tycoon 2FA, a phishing platform purpose-built to bypass multi-factor authentication. The service sent over 30 million malicious emails in a single month at peak operation.

Coinbase contributed blockchain transaction tracing to the investigation, helping identify the platform’s alleged administrator and buyers. The combined effort dismantled core infrastructure that had been powering credential theft campaigns at scale.

What Users Should Do Now

The immediate remediation steps are straightforward. Update iOS to the latest available version, which patches the vulnerabilities Coruna targets. Avoid storing seed phrases in Notes, screenshots, or any synced cloud application. For significant holdings, hardware wallets remain the most defensible option. Treat any unsolicited link from a crypto-adjacent source as suspect, regardless of how legitimate the hosting domain appears.

The convergence of state-grade offensive tooling and mass-market financial crime is no longer a theoretical risk. It is active, documented, and targeting retail wallets today.