A major hacking tool has leaked online, putting millions of iPhones at risk. Here’s what you need to know

Security researchers person uncovered a bid of cyberattacks targeting Apple customers crossed the world. The tools utilized successful these hacking campaigns person been dubbed Coruna and DarkSword, and they person been utilized by some authorities spies and cybercriminals to bargain information from people’s iPhones and iPads. 

It’s uncommon to spot wide hacks targeting iPhone and iPad users. In the past decade, the lone precedents person been attacks against Uyghurs Muslims successful China, and against radical successful Hong Kong.

Now, immoderate of these almighty hacking tools person leaked online, perchance putting hundreds of millions of iPhones and iPads moving out-of-date bundle astatine hazard of information thefts.

We are breaking down what we cognize and what we don’t astir these latest iPhone and iPad hacking threats, and what you tin bash to enactment protected.

What are Coruna and DarkSword?

Coruna and DarkSword are 2 sets of precocious hacking toolkits that each incorporate a scope of exploits susceptible of breaking into iPhones and iPads, and stealing a person’s data, specified arsenic their messages, browser data, determination history, and cryptocurrency.

Security researchers who discovered the toolkits accidental Coruna’s exploits tin hack iPhones and iPads moving iOS 13 done iOS 17.2.1, which was released successful December 2023. 

DarkSword, however, contained exploits susceptible of hacking iPhones and iPads moving much caller devices moving iOS 18.4 and 18.7, released successful September 2025, according to information researchers with Google who are investigating the code.

But the menace from DarkSword is much contiguous to the wide public. Someone leaked portion of DarkSword and published it connected codification sharing tract GitHub, making it casual for anyone to download the malicious codification and motorboat their ain attacks targeting Apple users moving older versions of iOS. 

How bash Coruna and DarkSword work?

These types of attacks are by explanation indiscriminate and dangerous, arsenic they tin ensnare anyone who visits a definite website hosting the malicious code.

In immoderate cases, victims tin beryllium hacked simply by visiting a morganatic website nether the power of malicious hackers.

When victims are initially infected, Coruna and DarkSword exploit respective vulnerabilities successful iOS that fto hackers virtually instrumentality afloat power of the target’s device, allowing them to bargain the person’s backstage data. The information is past uploaded to a web server tally by the hackers. 

At slightest immoderate parts of the Coruna toolkit, as TechCrunch antecedently reported, were primitively developed by Trenchant, a hacking and spyware portion wrong U.S. defence contractor L3Harris, which sells exploits to the U.S. authorities and its apical allies.

Kaspersky has besides linked 2 exploits successful Coruna’s toolkit to Operation Triangulation, a analyzable and apt government-led cyberattack allegedly carried retired against Russian iPhone users.

After Trenchant developed Coruna — somehow, it’s not wide however — these exploits recovered their mode into the hands of Russian spies and Chinese cybercriminals, possibly done 1 oregon respective intermediaries who merchantability exploits connected the underground market. 

Coruna’s travels amusement again that almighty hacking tools, including those developed for the U.S. nether choky secrecy restrictions, tin leak and proliferate retired of control. 

One illustration of this was successful 2017 erstwhile an exploit developed by the U.S. National Security Agency, which was susceptible of remotely breaking into Windows computers astir the world, leaked online. The aforesaid exploit was past utilized successful the destructive WannaCry ransomware attack, which indiscriminately hacked hundreds of thousands of computers crossed the world. 

In the lawsuit of DarkSword, researchers person observed attacks targeting users successful China, Malaysia, Turkey, Saudi Arabia, and Ukraine. It remains unclear who primitively developed DarkSword, however it ended up with antithetic hacking groups, oregon however the tools were leaked online.

How did the DarkSword tools leak online?

It’s unclear who leaked and published online to GitHub, oregon for what reason.

The hacking tools, which TechCrunch has seen, are written successful the web languages HTML and JavaScript, making them comparatively casual to configure and self-host anyplace by anyone wanting to motorboat malicious attacks. (TechCrunch is not linking to GitHub arsenic the tools tin beryllium utilized successful malicious attacks.) Researchers posting connected X person already tested the leaked tools by hacking into their ain Apple devices moving susceptible versions of the company’s software.

DarkSword is present “essentially plug-and-play,” arsenic Justin Albrecht, main researcher astatine mobile information steadfast Lookout, explained to TechCrunch. 

GitHub told TechCrunch that it has not taken down the leaked code, but volition sphere it for information research.

“GitHub’s Acceptable Use Policies prohibit posting contented that straight supports unlawful progressive onslaught oregon malware campaigns that are causing method harms,” GitHub’s online information counsel Jesse Geraci told TechCrunch. “However, we bash not prohibit the posting of root codification which could beryllium utilized to make malware oregon exploits, arsenic the work and organisation of specified root codification has acquisition worth and provides a nett payment to the information community.”

Is my iPhone oregon iPad susceptible to DarkSword?

If you person an iPhone oregon iPad that is not up to date, you should see updating immediately.

Apple told TechCrunch that users moving the latest versions of iOS 15 done iOS 26 are already protected.

According to iVerify: “We powerfully urge updating to iOS 18.7.6 oregon iOS 26.3.1. This volition mitigate each vulnerabilities that person been exploited successful these onslaught chains.”

According to Apple’s ain statistics, astir one-in-three iPhone and iPad users are inactive not moving the latest iOS 26 software. That means determination are perchance hundreds of millions of devices susceptible to these hacking tools, since Apple touts more than 2.5 billion progressive devices astir the world. 

What if I can’t oregon don’t privation to upgrade to iOS 26?

Apple besides said that devices moving Lockdown Mode, an opt-in other information diagnostic archetypal introduced successful iOS 16, besides blocks these circumstantial attacks. 

Lockdown Mode is adjuvant for journalists, dissidents, quality rights activists, and anyone who thinks they whitethorn beryllium targeted for who they are, oregon the enactment that they do. 

While Lockdown Mode is not perfect, determination has been nary nationalist grounds that hackers person to day ever been capable to bypass its protections. (We asked Apple if that assertion inactive holds true, and volition update if we perceive back.) Lockdown Mode was found to person prevented astatine slightest 1 effort to works spyware connected a quality rights defender’s phone.