A powerful iPhone hacking toolkit believed to have been developed for Western intelligence agencies has reportedly spread far beyond its intended users.
According to a TechCrunch investigation, the toolkit, known internally as Coruna, was likely created by the U.S. defense contractor L3Harris but eventually ended up in the hands of Russian government hackers and Chinese cybercriminals.
Google revealed last week that throughout 2025, it tracked a sophisticated iPhone hacking platform used in several global attacks. The toolkit contained 23 different components and was originally designed for highly targeted surveillance operations by a government customer working with an unnamed surveillance vendor. Later, however, the same toolkit appeared in cyber campaigns carried out by Russian intelligence against Ukrainian targets and eventually in large-scale attacks by Chinese cybercriminal groups attempting to steal money and cryptocurrency.
Security researchers at the mobile cybersecurity company iVerify analyzed the toolkit independently and concluded it may have been developed by a contractor working with the U.S. government. Two former employees of L3Harris confirmed to TechCrunch that parts of the Coruna toolkit were developed by the company’s hacking and surveillance division called Trenchant.
One former employee familiar with the tools said Coruna was the internal name for one of the toolkit’s components. After reviewing the technical details published by Google, the person said many elements looked very familiar and resembled the work done inside the company.
Trenchant sells its surveillance and hacking technology only to the U.S. government and its close intelligence partners in the Five Eyes alliance, which includes the United States, United Kingdom, Canada, Australia, and New Zealand. Because the number of customers is limited, it is possible the toolkit was originally acquired by one of these governments before somehow leaking into other hands.
How the Coruna toolkit traveled from Western intelligence circles to Russian hackers and then to Chinese cybercriminal groups is still unclear. However, investigators believe a major clue lies in the actions of a former Trenchant executive named Peter Williams.
Williams, an Australian citizen and former general manager at Trenchant, was sentenced to seven years in prison after admitting that he stole and sold eight hacking tools from the company. Between 2022 and 2025 he sold the tools to Operation Zero, a Russian company that pays large sums for previously unknown software vulnerabilities called zero-day exploits. Prosecutors said Williams earned about 1.3 million dollars from the illegal sales.
U.S. authorities said Williams had full access to Trenchant’s internal systems and used that access to steal tools that could potentially compromise millions of computers and mobile devices around the world. Operation Zero, which was later sanctioned by the U.S. government, reportedly sells vulnerabilities and hacking tools to Russian government agencies and related companies.
Researchers believe this transaction may explain how the Russian espionage group known as UNC6353 gained access to the Coruna toolkit. According to Google, the Russian group deployed the malware through compromised Ukrainian websites that targeted iPhone users based on their geographic location. When victims visited the malicious websites, their devices were silently infected.
After that, the toolkit may have spread further through underground markets or brokers until it reached Chinese cybercriminals. Google reported that Chinese groups eventually used Coruna in wide scale campaigns aimed at stealing financial assets and cryptocurrency from victims.
Some of the exploits inside Coruna have also been linked to another complex cyber campaign known as Operation Triangulation, which was first reported by Kaspersky in 2023. Researchers say two vulnerabilities called Photon and Gallium appear in both operations.
Rocky Cole, co-founder of iVerify and a former U.S. National Security Agency employee, said the available evidence strongly suggests that the original developers of Coruna were linked to the U.S. defense sector. He noted that the timeline of the toolkit matches the period when Williams leaked the stolen tools, and that several technical modules inside Coruna resemble components previously observed in Operation Triangulation.
The toolkit was designed to target iPhones running iOS versions from 13 up to 17.2.1, covering devices released between 2019 and late 2023. This timeline aligns with both the suspected leak of the tools and the discovery of earlier espionage campaigns.
Another small clue comes from the naming convention used in the toolkit. Several of the components were named after birds, such as Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow. Security researchers noted that bird-themed names were also used in tools developed by companies that later became part of L3Harris’s Trenchant division.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Despite these clues, cybersecurity experts say it is still difficult to definitively attribute the toolkit to any specific government or intelligence agency. Kaspersky researchers who studied Operation Triangulation said that simply sharing the same vulnerabilities does not prove the same developer or attacker was responsible, especially because details of those vulnerabilities are now publicly known.
For now, Coruna remains an example of how powerful cyber weapons built for government surveillance can escape control and circulate globally. Once such tools leak into underground markets, they can quickly move between intelligence agencies, brokers, and criminal groups, dramatically increasing the risk to everyday users around the world.
