DEV Community

ohmygod
ohmygod

Posted on

The Coruna & Darksword iOS Exploit Kits: Why Your iPhone Is No Longer a Safe Crypto Vault (and 8 Defenses That Actually Work)

#security #cryptocurrency #ios #defi

Google's Threat Intelligence Group just dropped a bombshell: two iOS exploit kits — Coruna (targeting iOS 13.0–17.2.1) and Darksword (targeting iOS 18.4–18.7) — are actively draining cryptocurrency wallets from iPhones worldwide. Coruna alone packs 23 exploits across 5 full exploit chains, and its payload specifically hunts for seed phrases in 18+ wallet apps including MetaMask, Phantom, and BitKeep.

This isn't theoretical. This is happening now.

The Kill Chain: How Coruna Turns Your iPhone Into an ATM

Stage 1: Initial Compromise

Victims land on fake financial or cryptocurrency websites — often promoted through search ads, social media, or messaging apps. The exploit triggers silently through the browser. No clicks required beyond visiting the page.

Stage 2: PlasmaLoader Deployment

Once the device is compromised, Coruna deploys PlasmaLoader (also tracked as PLASMAGRID), a modular payload framework designed for financial theft. It operates entirely in memory on newer chains, leaving minimal forensic traces.

Stage 3: Seed Phrase Extraction

This is where it gets ugly. PlasmaLoader doesn't just monitor clipboard or keylog — it performs:

  • Image scanning: Searches your photo library for QR codes containing wallet data
  • Text file mining: Scans Apple Notes, text files, and documents for BIP39 seed phrases
  • Keyword hunting: Looks for strings like "backup phrase," "recovery words," "seed phrase," and even "bank account"
  • Wallet app data extraction: Directly targets encrypted storage of 18+ crypto wallet applications

If you ever took a screenshot of your seed phrase "just in case" — that screenshot is now an attack surface.

Stage 4: Exfiltration and Drain

Extracted credentials are sent to C2 infrastructure, and wallets are drained — often within minutes. Transactions on-chain are irreversible.

The Threat Actor Pipeline

What makes Coruna particularly alarming is its provenance chain:

  1. Commercial surveillance vendor → Originally developed as a lawful intercept tool
  2. UNC6353 (suspected Russian espionage group) → Acquired and weaponized it
  3. UNC6691 (financially motivated Chinese threat actor) → Deployed it at scale against crypto users via fake DeFi and exchange websites

This is the commoditization of zero-day chains. What was once nation-state capability is now used for financial theft at scale.

Darksword: The Sequel Targeting Newer iPhones

Just as Apple patched against Coruna, researchers identified Darksword — a separate exploit kit targeting iOS 18.4 through 18.7, attributed to suspected Russian hackers potentially using U.S. government-developed tools. This means even users who diligently updated past Coruna's range may still be vulnerable.

The dual-kit threat creates a coverage gap: Coruna hits older devices, Darksword hits newer ones. Together, they span a massive portion of the active iPhone install base.

8 Defenses That Actually Work

1. Update iOS Immediately — No Exceptions

  • Latest iOS version patches both Coruna and Darksword chains
  • If you can't update to the latest: iOS 15.8.7 and iOS 16.7.15 (released March 2026) specifically address Coruna
  • Set automatic updates to ON — the 24-hour delay in manual updating is the window attackers exploit

2. Enable Lockdown Mode

Apple's Lockdown Mode was designed exactly for this threat class. It:

  • Blocks most message attachment types
  • Disables JIT JavaScript compilation (kills most browser exploit chains)
  • Blocks incoming FaceTime from unknown callers
  • Removes most font and image codec attack surface

Google's own analysis confirmed Lockdown Mode stops Coruna's browser-based exploit chains. If you hold significant crypto on a device, this is non-negotiable.

3. Physically Separate Your Crypto Device

The gold standard: maintain a dedicated device for crypto operations that:

  • Has no social media apps installed
  • Never browses random websites
  • Only connects to known WiFi networks
  • Has a minimal app footprint

This isn't paranoia — it's the same principle as air-gapped signing. Your daily driver iPhone that opens links from Twitter, Telegram, and email should never be the same device that holds your keys.

4. Purge Seed Phrase Artifacts

Audit your device right now:

  • Photos: Search for screenshots of seed phrases, QR codes of wallet addresses
  • Notes: Delete any notes containing recovery phrases
  • Files: Check Downloads, iCloud Drive for any backup documents
  • Clipboard history: Clear it regularly (PlasmaLoader monitors pasteboard)

Your seed phrase should exist on metal or paper, stored offline. Period.

5. Use Hardware Wallets for Significant Holdings

Mobile wallets (MetaMask, Phantom, etc.) are hot wallets — they're connected to the internet and vulnerable to device-level compromise. For any amount you can't afford to lose:

  • Use a hardware wallet (Ledger, Trezor, Keystone)
  • Sign transactions on the hardware device
  • Use your phone only as a viewer/broadcaster, never as a signer for large amounts

6. Verify DeFi Sites Through Multiple Channels

Coruna's primary delivery mechanism is fake financial websites. Before connecting your wallet to any DeFi protocol:

  • Navigate to the protocol's official Twitter/X → find the link there
  • Cross-reference with DeFiLlama, CoinGecko, or the protocol's GitHub
  • Never click links from search ads — attackers routinely buy Google/Bing ads for fake versions of popular DeFi protocols
  • Check the URL character by character — homoglyph attacks (using look-alike Unicode characters) are common

7. Implement Token Approval Hygiene

Even if your device isn't compromised, unlimited token approvals are a persistent risk. Monthly maintenance:

  • Use Revoke.cash or Etherscan Token Approval Checker to audit active approvals
  • Revoke any approvals you don't actively need
  • When approving, set specific amounts instead of unlimited
  • For Solana: check and revoke delegate authorities via SolanaFM or your wallet's approval manager

8. Monitor for Compromise Indicators

Set up alerts for your wallet addresses:

  • Forta bots for on-chain anomaly detection
  • Wallet-native notifications (most major wallets support this)
  • Etherscan/Solscan watch lists with email alerts
  • If you see any unauthorized transaction — even a dust transaction — treat it as a potential address poisoning attempt and do not reuse that address from transaction history

The Bigger Picture: Mobile Is the New Attack Surface

The crypto security community has spent years hardening smart contracts, improving audit tooling, and building on-chain monitoring. But the Coruna/Darksword revelations expose a blind spot: the device layer.

It doesn't matter if your smart contract is formally verified and your protocol has a $10M bug bounty if the end user's phone is compromised at the OS level. The attack bypasses every on-chain security measure because it steals the keys before any transaction is constructed.

This is why defense-in-depth matters:

  • Protocol level: Audits, formal verification, bug bounties
  • Application level: Approval limits, transaction simulation
  • Device level: OS updates, Lockdown Mode, device separation
  • Human level: Seed phrase hygiene, link verification, skepticism

The weakest link in 2026 isn't your Solidity code. It's the iPhone in your pocket with a screenshot of your seed phrase in the Photos app.

Stay paranoid. Stay patched. And for the love of Satoshi, delete that seed phrase screenshot.

Top comments (0)