A sophisticated iPhone hacking toolkit, dubbed “Coruna”, originally developed by U.S. military contractor L3Harris for intelligence operations, has ended up in the hands of Russian government hackers and Chinese cybercriminals, according to cybersecurity research and investigative reporting by TechCrunch. The toolkit, initially intended for targeted surveillance by Western agencies, has now been used in widespread campaigns aimed at stealing money, cryptocurrency, and sensitive information from users in multiple countries.
Toolkit Origins and Development
Coruna comprises 23 components, first deployed in highly targeted operations for an unnamed government customer. Researchers at cybersecurity firm iVerify, which analyzed Coruna independently, believe it was created by L3Harris’ hacking and surveillance division, Trenchant, sold exclusively to the U.S. government and its Five Eyes allies, including Australia, Canada, New Zealand, and the U.K.
Two former Trenchant employees confirmed that Coruna and related exploits were part of a larger internal toolkit. However, how it migrated from the Five Eyes ecosystem to Russian and later Chinese hackers remains unclear.
Russian Espionage Connection
Former Trenchant general manager Peter Williams, an Australian national, sold eight company hacking tools, including components of Coruna, to a Russian company known as Operation Zero between 2022 and 2025 for $1.3 million. Williams was sentenced to seven years in prison after admitting the theft. U.S. authorities warned that these tools could have granted access to millions of computers and iPhone devices worldwide.
Google researchers have linked two Coruna exploits, named Photon and Gallium, to Operation Triangulation, a hacking campaign targeting Russian iPhone users. These exploits were reportedly used as zero-day vulnerabilities in the campaign, indicating a direct connection between the original toolkit and subsequent cyberattacks.
Global Impact
The toolkit affected iPhones running iOS 13 through 17.2.1, covering models released between September 2019 and December 2023. Russian spies deployed Coruna to hack specific Ukrainian users via compromised websites, while Chinese hackers later used it in broader financial cybercrime campaigns. Evidence suggests that parts of Coruna may have circulated among multiple brokers, cybercriminal groups, and state actors before reaching China.
Expert Insights
Renowned cybercrime expert and former IPS officer Professor Triveni Singh said, “Coruna illustrates how sensitive state-developed cyber tools can rapidly proliferate into the hands of unauthorized actors. Such leaks can transform intelligence-grade exploits into mass surveillance and financial crime instruments. Governments and corporations must urgently strengthen digital infrastructure and monitoring to prevent similar leaks in the future.”
Security analysts note that Coruna’s journey highlights a worrying trend: tools developed for national security, if leaked, can quickly become instruments of global cybercrime, threatening individuals, companies, and critical infrastructure alike.
Coruna’s development bears resemblance to earlier incidents, including the FBI iPhone cracking case involving Azimuth Security, later merged into L3Harris. Some of the Coruna tools reused exploits from previous campaigns like Operation Triangulation, further underlining how vulnerabilities can persist across different operations.
While L3Harris has not publicly commented, the case underscores the challenges of controlling cyber weapons once developed. Experts warn that without strict oversight, intelligence-grade hacking tools may continue to fuel large-scale cybercrime, espionage, and digital disruption globally.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
