Government iPhone Hacking Tools Now in the Hands of Cybercriminals

Government-Grade iPhone Exploits Leaked Beyond State Control

Security researchers have identified a powerful suite of hacking tools originally designed for government use that can compromise iPhones running older software. What makes this discovery especially concerning is not just the capability of the tools — it’s where they’ve ended up.

According to mobile security company iVerify, the exploit suite has moved beyond its original government customer and is now being used by cybercriminals. That shift matters. Tools built for targeted surveillance under state oversight are now circulating in criminal ecosystems, where oversight doesn’t exist and intent is far less predictable.

The exploit kit, known as Coruna, was obtained and reverse-engineered by iVerify. During their investigation, researchers linked the toolset to a U.S. government customer. The findings were published in a technical analysis outlining how the tools function and how they are now being repurposed.

How the Coruna Exploit Kit Targets iPhones

Exploiting Older iOS Versions

The hacking tools are capable of compromising iPhones running outdated software. Devices that have not been updated are particularly vulnerable, as older operating systems often contain security flaws that have since been patched in newer releases.

This is a critical point: exploitation doesn’t necessarily require user interaction if the vulnerability is severe enough. Older devices or phones that have delayed updates present a significantly lower barrier for attackers using mature exploit frameworks like Coruna.

Reverse Engineering Reveals Operational Capabilities

iVerify’s researchers didn’t just detect suspicious behavior — they acquired the toolset and performed reverse engineering to understand its architecture and function. That process allowed them to confirm the technical capabilities of the exploit kit and trace its origins.

Reverse engineering in this context involves dissecting malware components, analyzing code execution paths, and identifying infrastructure patterns. This kind of technical validation strengthens attribution claims and supports the conclusion that the tools were originally developed for government use.

From Government Surveillance to Criminal Exploitation

The Risk of Exploit Leakage

The case highlights a longstanding concern in cybersecurity: tools developed for lawful government operations can leak, be stolen, or resold. Once outside official channels, these exploits can be weaponized by cybercriminals or other non-state actors.

The transition from state-controlled deployment to criminal use creates a new threat model. Governments typically use such tools in targeted investigations. Criminal groups, however, may deploy them opportunistically, at scale, or for financial gain through extortion, data theft, or account takeover.

The discovery reinforces a core cybersecurity reality: once an exploit exists, containment is never guaranteed.

Backdoors and Dual-Use Technology

Exploits and backdoors can be used for both good and bad purposes. They’re often created for intelligence or law enforcement, but they work by taking advantage of security flaws. If these flaws aren’t reported and fixed, anyone who gets ahold of the exploit code can use them to launch attacks.

The Coruna case demonstrates how that risk materializes in practice. A tool built for restricted use has entered broader circulation, illustrating how difficult it is to maintain long-term exclusivity over offensive cyber capabilities.

The Broader Cybersecurity Implications for iPhone Users

Outdated Devices as High-Value Targets

iPhones running older software are particularly susceptible to advanced exploit kits. When patches are released, they often address actively exploited vulnerabilities. Devices that remain unpatched effectively preserve those weaknesses.

For cybercriminals, this creates a predictable opportunity: target populations that delay updates or rely on aging hardware.

The Expanding Criminal Marketplace for Advanced Exploits

The migration of government-grade tools into criminal hands reflects a broader trend in cybercrime. Advanced exploitation frameworks are increasingly accessible through underground markets, partnerships, or direct leakage from state-linked sources.

As more sophisticated capabilities become commoditized, the technical barrier to launching high-impact attacks decreases. This shifts the risk landscape for individuals, enterprises, and institutions alike.