iPhone Crypto Wallets Under Attack from State-Grade Malware

The era of assumed iPhone invincibility is over for mobile crypto traders. A sophisticated new threat, the ‘Coruna exploit kit’, is actively leveraging 23 disparate iOS vulnerabilities to bypass Apple’s top-notch security and drain crypto wallets.

According to a new Google TAG report, the kit does not just crash apps or serve ads. It silently scans for BIP39 seed phrase theft, extracts QR codes, and siphons private keys from unpatched devices. The funds are gone before the user realizes the browser has been compromised.

That matters. For years, advanced exploit chains were the exclusive domain of nation-state intelligence agencies. Coruna marks a terrifying regime change: state-grade surveillance tools have been repackaged for mass-market retail theft.

This iPhone crypto wallet warning comes as Chainalysis reported in 2025 that the crypto theft market is valued at over $75Bn, with wallet drainers accounting for a large amount of that figure.

How Coruna Exploits 23 iOS Vulnerabilities to Drain Crypto Wallets

The Coruna exploit kit is a highly efficient “1-click” attack that activates when a user visits a compromised site, often posing as a gambling or news platform.

It targets vulnerabilities in WebKit to breach the device, then uses local privilege escalation exploits to escape the browser’s sandbox.

Analyzing iOS versions 13.0 to 17.2.1, Coruna employs multiple entry points to deliver a crypto wallets drainer designed to steal blockchain assets.

It scans the file system for cryptocurrency-related strings, checks the photo library for QR codes, and extracts mnemonic phrases from the Notes app.

This automated exploitation can result in immediate and irreversible theft of assets, and any iPhone user who uses their device for crypto trading and asset storing needs to stay vigilant.

DISCOVER: Next Crypto to Explode in 2026

State-Grade Malware Goes Mass Market

Previously, exploit chains of this complexity were hoarded by entities like NSO Group for targeted surveillance of high-value targets—dissidents, journalists, or diplomats.

Coruna flips the script. It takes vulnerabilities weaponized in campaigns like Operation Triangulation, a suspected state-sponsored attack, and hands them to financially motivated criminal groups.

The barrier to entry for executing a sophisticated MetaMask hack or draining a Trust Wallet has collapsed, and even the most inexperienced tech heads can now carry it out.

This follows a disturbing pattern whereby tools developed for espionage inevitably leak into the broader cybercriminal ecosystem. The attackers behind Coruna are not looking for state secrets. They are looking for liquidity.

This is industrial-scale theft. The iVerify security firm documented the exploit affecting at least 42,000 devices, with total losses not yet announced.

Who Is Being Targeted and Why Mobile Crypto Traders Are Especially Exposed

If you trade on mobile and hold self-custody wallets, you are the target profile. The attack vectors are often embedded in sites that crypto users frequent: unregulated gambling interfaces, dubious token claim pages, and third-party app stores.

The malware explicitly targets data directories associated with major non-custodial wallets. It looks for the encrypted vaults of MetaMask, BitKeep (now Bitget Wallet), and Trust Wallet. If the encryption is weak, or if the user has stored the password in a compromised keychain or note, the wallet is drained.

The risk is compounded by user behavior. Mobile traders frequently interact with DApps and sign transactions on the go, often prioritizing speed over security hygiene.

Coruna exploits this complacency. It doesn’t need to trick you into signing a bad transaction; it simply steals the keys to the castle while you browse.

For now, proceed with caution and consider moving your crypto funds to cold wallet storage, such as a Ledger or Trezor.

EXPLORE: Best Crypto Presales to Buy in 2026