From Pentagon to Pyongyang: How a U.S.-Built iPhone Spy Kit Fueled Global Cybercrime

It began as a tightly guarded U.S. military project - an arsenal of digital break-in tools designed to slip undetected into Apple’s famously secure iPhones. But in a twist worthy of a spy thriller, this elite hacking kit, codenamed “Coruna,” has erupted onto the global cybercrime stage, arming Russian espionage groups and Chinese criminal syndicates in equal measure.

The story of Coruna is a cautionary tale about how even the most sophisticated cyberweapons, once thought safely locked away in Western arsenals, can spiral out of control. Developed by Trenchant - the hacking arm of U.S. defense giant L3Harris - the Coruna toolkit was built for government surveillance, targeting Apple devices from iOS 13 to 17.2.1 with surgical precision. Its arsenal included 23 distinct components, each engineered to silently breach Apple’s defenses and remain undetected.

The leak began from within. Peter Williams, a top executive with unrivaled access, managed to steal at least eight highly classified hacking tools between 2022 and mid-2025. For a payout of $1.3 million, he sold them to Operation Zero, a Russian brokerage with deep ties to the Kremlin and notorious ransomware gangs like Trickbot. Williams now sits in federal prison, sentenced to seven years for his role in the breach - but the digital genie is out of the bottle.

Russian intelligence wasted no time. According to Google’s threat intelligence unit, the espionage group UNC6353 used Coruna to infiltrate iPhones belonging to high-value targets in Ukraine, marking a dramatic escalation in digital warfare. But the toolkit’s journey didn’t end there; it soon found its way into the hands of Chinese cybercriminals, who weaponized it for financial theft and cryptocurrency scams on a massive scale.

Technical sleuthing by Google and iVerify traced Coruna’s fingerprints across several high-profile cyber campaigns, including the infamous “Operation Triangulation” that targeted Russian diplomats in 2023. Analysts identified unique exploit chains - codenamed Photon, Gallium, and Plasma - directly linking Coruna to these attacks. The toolkit’s quirky bird-themed code names, such as Cassowary and Terrorbird, further revealed its DNA, tracing back to Azimuth Security, an Australian startup folded into L3Harris’s operations.

Although official attribution remains murky, the timeline of Coruna’s development, Williams’s theft, and the real-world attacks suggest a chilling reality: military-grade cyberweapons, once unleashed, can quickly become tools for adversaries and criminals alike.

As the dust settles, the Coruna saga raises urgent questions for governments and tech giants: Can any cyberweapon ever be truly contained? And when the tools of statecraft are set loose, who pays the price? The answer, as Coruna’s global rampage shows, is all of us.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Exploit framework: An exploit framework is a toolkit of software and code modules used to test, develop, and execute cyberattacks on computer systems.
• Ransomware gang: A ransomware gang is a group of cybercriminals that extorts victims by encrypting data and demanding payment to restore access or prevent data leaks.
• Threat intelligence: Threat intelligence is information about cyber threats that helps organizations anticipate, identify, and defend against potential cyberattacks.
• Attribution: Attribution is the process of determining who is behind a cyberattack, using technical clues and analysis to identify the responsible party.