A new iPhone-hacking exploit has exposed the uncomfortable truth that when governments build offensive attacks, they eventually come for all of us. Revealed by Google’s Threat Intelligence Group (GTIG) and iVerify , the Coruna exploit can compromise iPhones running iOS 13 through to iOS 17.2.1, though Apple has secured its systems against this threat in iOS 26. What Coruna does Coruna is dangerous and can hijack any iOS device just when a user visits a website. Its existence is a perfect illustration of how weaponized hacking tools do nothing to make us safer, and everything to make people more insecure. Coruna can steal data and cryptocurrency information, expose personal information, and more. Once hacked, the exploit will install software with root access that can run additional modules and collect text snippets from the device. It’s a complex set of tools that includes five exploit chains and 23 vulnerabilities that seem to have been designed to infiltrate devices and exfiltrate sensitive data. Everything about the kit screams of it being built by a highly resourced nation-state hacking organization. It’s so sophisticated it even recognizes when a device is in Lockdown Mode, at which point it ceases its attack. Made in the USA? The code is polished, the tools comprehensive, and it uses exploitation methods and security avoidance tricks the team hadn’t come across before. That’s why it looks like a well-financed exploit, one that first appeared in use by surveillance-as-a-service mercenary firms, later by a Russian espionage group, then by a Chinese group. Wired warns that it “may have been originally created by a US contractor and sold to the American government.” In other words, it’s a perfect illustration of how highly sophisticated attacks developed for nation-state use can, do, and indeed already are falling into the hands of criminals. The experts at iVerify who also studied the exploit warn: “Coruna is one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations. The attack really demonstrates that the only way we can effectively protect our digital world is to ensure that everyone in that world is as safe as everybody else. There’s no such thing as a safe hack, no such thing as a controllable zero-day attack, no such thing as a safe backdoor. There are no safe back doors When it comes to Coruna, experts warn that thousands, perhaps tens of thousands, of iPhones might already have fallen victim since it is so effective and already so widely proliferated. That’s a particular threat given that 26% of all iPhones introduced since 2022 are not yet running iOS 26 , which means they aren’t yet protected against the attack. “The mobile threat landscape is not standing still, and the tools once reserved for targeting heads of state are now being deployed against ordinary iPhone users,” iVerify warned. This was inevitable. Sophisticated attacking tools used by state hackers or those adjacent to those hackers will always slip into wider use eventually; even the NSO Group’s earliest Pegasus software exploits are allegedly now available for sale on the dark web. Those high-value attacks were originally used against human rights activists and journalists in the Middle East and Europe. While such exploits are usually described as being so sophisticated and costly to launch most of us need not fear them, the truth is that when those attacks proliferate, they do threaten everyone. Come together We know Apple is attempting to stay ahead in the security race. It doubled its available security bounty just last year, and its recently introduced Memory Integrity Enforcement (MIE) protection should help secure its platforms against attacks of this kind. But security protection is never perfect, humans remain the weakest link, and ordinary users seem increasingly likely to be exposed to sophisticated attacks as they reach down the food chain. Coruna may have been in use for years. But if you care about security, whoever it was who first built these attacks should have decided to report the vulnerability to Apple, not weaponize it to make a buck. If we work together, we make things safer. If we fail to find some way to get along, then no one will be safe — to the detriment of all. You can follow me on social media! Join me on BlueSky , LinkedIn , and Mastodon .