A range of government hacking tools targeting iPhones are now being used by cybercriminals

Security researchers have identified a set of powerful hacking tools capable of breaching iPhones running outdated software that they say has passed from a government client into the hands of cybercriminals.

Google He said Tuesday They first identified the exploit kit, dubbed Corona, in February 2025 during a period Try vendor monitoring Hacking into someone’s phone using spyware on behalf of a government agent. Months later, it found the same exploit kit that targeted Ukrainian users in a large-scale campaign carried out by a Russian spy group, and later discovered it was being used by a financially motivated hacker in China.

It is unclear how the tools leaked or spread, but security researchers at Google have warned of an emerging market for “used” exploit programs, which are sold to hackers motivated to extract more value from these vulnerabilities.

The discovery also shows how exploits and backdoors designed for use by governments can leak and, ultimately, be abused by cybercriminals or other non-state actors. Mobile security company iVerify said it obtained and reverse-engineered the hacking tools In a blog post It linked the coronavirus exploit kit to the US government, based on similarities to hacking tools previously attributed to the US.

“The more widespread the use, the more likely a leak will occur,” iVerify said. “Although iVerify has some evidence that this tool is a leaked US government framework, that should not overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Google said the hacking tools are powerful, as they can bypass an iPhone’s defenses simply by visiting a malicious website containing the exploit code – such as sending a malicious link – in what is known as a “watering hole” attack. According to Google, the Coruna group can hack an iPhone in five separate ways by drawing on 23 separate vulnerabilities in its digital arsenal and chaining them together. Affected devices range from iPhone models running iOS 13 through 17.2.1, which was released in December 2023.

According to Wired, which I reported the news for the first timeThe Corona kit contains components that were previously used in the hacking operation A campaign called Operation Triangulation. Russian cybersecurity company Kaspersky claimed in 2023 that the US government attempted to hack several of its employees’ iPhones.

While leaking hacking tools is rare, it is not unheard of. In 2017, the US National Security Agency discovered that tools it had developed to hack into Windows computers around the world had been stolen. A Windows backdoor, known as EternalBlue, was later deployed and used by cybercriminals Subsequent attacksincluding 2017 WannaCry ransomware attack By North Korea.

TechCrunch also recently reported on the case of Peter Williams, the former head of US defense contractor L3Harris Trenchant, who was sentenced to more than seven years in prison. After pleading guilty To steal and sell eight exploits to an intermediary known to work with the Russian government.

According to prosecutors, Williams sold exploits she was capable of Hacking “millions of computers and devices” around the world. There was at least one exploit It was sold to a South Korean broker. It is unclear whether these vulnerabilities have been disclosed to software makers, or have been patched.