iPhone Hacking Tool Leaked: Millions at Risk – Protect Your Data Now!

A concerning wave of cyberattacks targeting Apple customers globally has been uncovered by security researchers. The malicious tools, known as Coruna and DarkSword, have been employed by both state-sponsored actors and cybercriminals to compromise iPhones and iPads, stealing sensitive data. While widespread iPhone hacks have been rare in the past decade – previously limited to attacks against specific groups like Uyghur Muslims in China and individuals in Hong Kong – the recent leak of these powerful tools dramatically expands the potential risk to hundreds of millions of users. This article breaks down the details of these threats and provides actionable steps to protect your data.

What are Coruna and DarkSword?

Coruna and DarkSword represent sophisticated hacking toolkits, each equipped with a range of exploits designed to infiltrate iPhones and iPads and exfiltrate personal data. This includes messages, browsing history, location data, and even cryptocurrency holdings. The discovery of these tools raises serious concerns about the security of Apple devices and the potential for widespread data breaches.

Coruna: Targeting Older iOS Versions

Security researchers have determined that Coruna’s exploits are capable of hacking devices running iOS 13 through iOS 17.2.1 (released in December 2023). This means a significant number of iPhones and iPads remain vulnerable if they haven’t been updated to the latest software.

DarkSword: A More Immediate Threat

DarkSword is particularly alarming. It contains exploits targeting devices running iOS 18.4 and 18.7 (released in September 2025, according to Google researchers). However, the immediate danger stems from a recent leak. A portion of the DarkSword toolkit was published on code-sharing platform GitHub, making the malicious code readily accessible to anyone and enabling them to launch attacks against Apple users with older iOS versions. This ease of access transforms DarkSword into a “plug-and-play” hacking solution, as described by Justin Albrecht, principal researcher at Lookout.

How do Coruna and DarkSword Work?

These attacks are often indiscriminate, posing a risk to anyone who visits a compromised website hosting the malicious code. Victims can be infected simply by browsing a legitimate website that has been infiltrated by malicious actors. The attacks exploit vulnerabilities within iOS, granting hackers near-complete control over the targeted device.

Once a device is compromised, Coruna and DarkSword facilitate the theft of private data, which is then uploaded to a server controlled by the attackers. This data can be used for a variety of malicious purposes, including identity theft, financial fraud, and espionage.

Contact Us: Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.

The Origins of These Hacking Tools

Investigations reveal a complex history behind these tools. Parts of the Coruna toolkit were originally developed by Trenchant, a hacking and spyware unit within U.S. defense contractor L3Harris. Trenchant sells exploits to the U.S. government and its allies. This highlights the concerning reality that tools developed for national security purposes can find their way into the wrong hands.

Kaspersky has linked two exploits within Coruna to Operation Triangulation, a sophisticated cyberattack allegedly carried out against Russian iPhone users, suggesting potential government involvement. The journey of Coruna demonstrates how powerful hacking tools, even those developed under strict secrecy, can leak and proliferate uncontrollably.

This isn’t an isolated incident. In 2017, an exploit developed by the U.S. National Security Agency (NSA) leaked online and was subsequently used in the devastating WannaCry ransomware attack, impacting hundreds of thousands of computers worldwide. The parallels are striking and underscore the inherent risks associated with the development and deployment of offensive cyber capabilities.

Regarding DarkSword, the origins remain unclear. Researchers have observed attacks targeting users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. The path from development to leak and subsequent use by various hacking groups remains a mystery.

How Did the DarkSword Tools Leak Online?

The identity of the individual or group responsible for leaking the DarkSword tools to GitHub, and their motivations, remain unknown. The tools themselves are written in HTML and JavaScript, making them relatively easy to configure and deploy by anyone with malicious intent. GearTech has reviewed the leaked code but will not link to the GitHub repository due to the potential for misuse.

GitHub has stated that it will preserve the leaked code for security research purposes, despite its potential for harm. Jesse Geraci, GitHub’s online safety counsel, explained that while the platform prohibits content directly supporting active attacks, it allows the publication of source code for educational value and to benefit the security community.

Is Your iPhone or iPad Vulnerable to DarkSword?

If your iPhone or iPad is running an outdated version of iOS, you are at risk. Apple has confirmed that users running the latest versions of iOS 15 through iOS 26 are protected. iVerify strongly recommends updating to iOS 18.7.6 or iOS 26.3.1 to mitigate all known vulnerabilities exploited by these attack chains.

According to Apple’s data, nearly one-third of iPhone and iPad users are still running older software. Given that Apple boasts over 2.5 billion active devices globally, this translates to potentially hundreds of millions of devices vulnerable to these hacking tools. This underscores the critical importance of keeping your devices updated.

What If You Can’t or Don’t Want to Upgrade to iOS 26?

Apple also recommends enabling Lockdown Mode, an optional security feature introduced in iOS 16. Lockdown Mode provides an extra layer of protection against targeted attacks. It is particularly beneficial for journalists, dissidents, human rights activists, and anyone who believes they may be a target due to their profession or activities.

While not foolproof, there is currently no public evidence of hackers successfully bypassing Lockdown Mode’s protections. Apple is currently verifying this claim. Lockdown Mode has already proven effective in preventing at least one attempt to install spyware on a human rights defender’s phone.

Protecting Yourself: Key Takeaways

• Update Your Software: The most effective defense is to ensure your iPhone or iPad is running the latest version of iOS.
• Enable Lockdown Mode: Consider enabling Lockdown Mode if you believe you may be a target for sophisticated attacks.
• Be Cautious of Links: Avoid clicking on suspicious links or visiting untrusted websites.
• Monitor Your Accounts: Regularly monitor your financial accounts and personal information for any signs of unauthorized activity.
• Stay Informed: Keep up-to-date on the latest security threats and best practices.

The leak of Coruna and DarkSword represents a significant escalation in the threat landscape for Apple users. By taking proactive steps to protect your devices and data, you can significantly reduce your risk of becoming a victim of these malicious attacks. The situation demands vigilance and a commitment to maintaining strong cybersecurity practices.