A major hacking tool has leaked online, putting millions of iPhones at risk. Here’s what you need to know. Lorenzo Franceschi-Bicchierai 7:09 AM PDT · March 26, 2026 Security researchers have uncovered a series of cyberattacks targeting Apple customers across the world. The tools used in these hacking campaigns have been dubbed Coruna and DarkSword , and they have been used by both government spies and cybercriminals to steal data from people’s iPhones and iPads.
It’s rare to see widespread hacks targeting iPhone and iPad users. In the last decade, the only precedents have been attacks against Uyghurs Muslims in China , and against people in Hong Kong .
Now, some of these powerful hacking tools have leaked online , potentially putting hundreds of millions of iPhones and iPads running out-of-date software at risk of data thefts.
We are breaking down what we know and what we don’t about these latest iPhone and iPad hacking threats, and what you can do to stay protected.
Coruna and DarkSword are two sets of advanced hacking toolkits that each contain a range of exploits capable of breaking into iPhones and iPads and stealing a person’s data, such as their messages, browser data, location history, and cryptocurrency.
Security researchers who discovered the toolkits say Coruna’s exploits can hack iPhones and iPads running iOS 13 through iOS 17.2.1, which was released in December 2023.
DarkSword, however, contains exploits capable of hacking iPhones and iPads with more recent devices running iOS 18.4 and 18.7, released in September 2025, according to security researchers with Google who are investigating the code.
But the threat from DarkSword is more immediate to the general public. Someone leaked part of DarkSword and published it on code-sharing site GitHub , making it easy for anyone to download the malicious code and launch their own attacks targeting Apple users running older versions of iOS.
These types of attacks are by definition indiscriminate and dangerous, as they can ensnare anyone who visits a certain website hosting the malicious code.
Contact Us Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email .
In some cases, victims can be hacked simply by visiting a legitimate website under the control of malicious hackers.
When victims are initially infected, Coruna and DarkSword exploit several vulnerabilities in iOS that let hackers virtually take full control of the target’s device, allowing them to steal the person’s private data. The data is then uploaded to a web server run by the hackers.
At least some parts of the Coruna toolkit, as TechCrunch previously reported , were originally developed by Trenchant, a hacking and spyware unit within U.S. defense contractor L3Harris, which sells exploits to the U.S. government and its top allies.
Kaspersky has also linked two exploits in Coruna’s toolkit to Operation Triangulation , a complex and likely government-led cyberattack allegedly carried out against Russian iPhone users .
After Trenchant developed Coruna — somehow, it’s not clear how — these exploits found their way into the hands of Russian spies and Chinese cybercriminals, perhaps through one or several intermediaries who sell exploits on the underground market.
___________________________________________________________________________________________________________
-- --
PLEASE LIKE IF YOU FOUND THIS HELPFUL TO SUPPORT OUR FORUM.
