Security researchers have uncovered a series of cyberattacks targeting Apple customers across the world. The tools used in these hacking campaigns have been dubbed Coruna and DarkSword, and they have been used by both government spies and cybercriminals to steal data from people’s iPhones and iPads.
It’s rare to see widespread hacks targeting iPhone and iPad users. In the last decade, the only precedents have been attacks against Uyghurs Muslims in China, and against people in Hong Kong.
Now, some of these powerful hacking tools have leaked online, potentially putting hundreds of millions of iPhones and iPads running out-of-date software at risk of data thefts.
We are breaking down what we know and what we don’t about these latest iPhone and iPad hacking threats, and what you can do to stay protected.
What are Coruna and DarkSword?
Coruna and DarkSword are two sets of advanced hacking toolkits that each contain a range of exploits capable of breaking into iPhones and iPads, and stealing a person’s data, such as their messages, browser data, location history, and cryptocurrency.
Security researchers who discovered the toolkits say Coruna’s exploits can hack iPhones and iPads running iOS 13 through iOS 17.2.1, which was released in December 2023.
DarkSword, however, contained exploits capable of hacking iPhones and iPads running more recent devices running iOS 18.4 and 18.7, released in September 2025, according to security researchers with Google who are investigating the code.
But the threat from DarkSword is more immediate to the general public. Someone leaked part of DarkSword and published it on code sharing site GitHub, making it easy for anyone to download the malicious code and launch their own attacks targeting Apple users running older versions of iOS.
How do Coruna and DarkSword work?
These types of attacks are by definition indiscriminate and dangerous, as they can ensnare anyone who visits a certain website hosting the malicious code.
Contact Us
Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.
In some cases, victims can be hacked simply by visiting a legitimate website under the control of malicious hackers.
When victims are initially infected, Coruna and DarkSword exploit several vulnerabilities in iOS that let hackers virtually take full control of the target’s device, allowing them to steal the person’s private data. The data is then uploaded to a web server run by the hackers.
At least some parts of the Coruna toolkit, as TechCrunch previously reported, were originally developed by Trenchant, a hacking and spyware unit within U.S. defense contractor L3Harris, which sells exploits to the U.S. government and its top allies.
Kaspersky has also linked two exploits in Coruna’s toolkit to Operation Triangulation, a complex and likely government-led cyberattack allegedly carried out against Russian iPhone users.
After Trenchant developed Coruna — somehow, it’s not clear how — these exploits found their way into the hands of Russian spies and Chinese cybercriminals, perhaps through one or several intermediaries who sell exploits on the underground market.
Coruna’s travels show again that powerful hacking tools, including those developed for the U.S. under tight secrecy restrictions, can leak and proliferate out of control.
One example of this was in 2017 when an exploit developed by the U.S. National Security Agency, which was capable of remotely breaking into Windows computers around the world, leaked online. The same exploit was then used in the destructive WannaCry ransomware attack, which indiscriminately hacked hundreds of thousands of computers across the world.
In the case of DarkSword, researchers have observed attacks targeting users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. It remains unclear who originally developed DarkSword, how it ended up with different hacking groups, or how the tools were leaked online.
It’s unclear who leaked and published online to GitHub, or for what reason.
The hacking tools, which TechCrunch has seen, are written in the web languages HTML and JavaScript, making them relatively easy to configure and self-host anywhere by anyone wanting to launch malicious attacks. (TechCrunch is not linking to GitHub as the tools can be used in malicious attacks.) Researchers posting on X have already tested the leaked tools by hacking into their own Apple devices running vulnerable versions of the company’s software.
DarkSword is now “essentially plug-and-play,” as Justin Albrecht, principal researcher at mobile security firm Lookout, explained to TechCrunch.
GitHub told TechCrunch that it has not taken down the leaked code, but will preserve it for security research.
“GitHub’s Acceptable Use Policies prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” GitHub’s online safety counsel Jesse Geraci told TechCrunch. “However, we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community.”
Is my iPhone or iPad vulnerable to DarkSword?
If you have an iPhone or iPad that is not up to date, you should consider updating immediately.
Apple told TechCrunch that users running the latest versions of iOS 15 through iOS 26 are already protected.
According to iVerify: “We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities that have been exploited in these attack chains.”
According to Apple’s own statistics, almost one-in-three iPhone and iPad users are still not running the latest iOS 26 software. That means there are potentially hundreds of millions of devices vulnerable to these hacking tools, since Apple touts more than 2.5 billion active devices around the world.
What if I can’t or don’t want to upgrade to iOS 26?
Apple also said that devices running Lockdown Mode, an opt-in extra security feature first introduced in iOS 16, also blocks these specific attacks.
Lockdown Mode is helpful for journalists, dissidents, human rights activists, and anyone who thinks they may be targeted for who they are, or the work that they do.
While Lockdown Mode is not perfect, there has been no public evidence that hackers have to date ever been able to bypass its protections. (We asked Apple if that claim still holds true, and will update if we hear back.) Lockdown Mode was found to have prevented at least one attempt to plant spyware on a human rights defender’s phone.