BOSTON, MA — June 9, 2026: A sophisticated iPhone hacking toolkit deployed by Russian government spies against Ukrainian targets and later by Chinese cybercriminals was likely developed by U.S. military contractor L3Harris, according to an exclusive TechCrunch investigation and corroborating data from Google. The toolkit, internally codenamed “Coruna,” represents a critical case of advanced Western surveillance technology leaking to adversarial states and criminal groups. Google’s Threat Analysis Group revealed last week that it tracked the toolkit’s use throughout 2025 in a series of global cyberattacks, initially targeting a limited number of individuals before being weaponized in broad-scale campaigns.
The Coruna Toolkit: From U.S. Contractor to Global Threat
According to Google’s technical report, the Coruna toolkit comprised 23 distinct components designed to exploit iPhones. Researchers first observed its use in “highly targeted operations” by an unnamed government customer of a surveillance vendor. Subsequently, Russian government operatives, identified by Google as UNC6353, deployed it against Ukrainian targets. Finally, Chinese cybercriminals used adapted versions in large-scale campaigns aimed at financial theft and data exfiltration. Mobile cybersecurity firm iVerify, which conducted an independent analysis, concluded the toolkit’s origins pointed to a company that sold such capabilities to the U.S. government.
Two former employees of L3Harris’s surveillance technology division, Trenchant, confirmed to TechCrunch that Coruna was, at least in part, developed internally. Both sources, who spoke on condition of anonymity, had direct knowledge of the company’s iPhone exploitation tools. “Coruna was definitely an internal name of a component,” stated one former employee familiar with Trenchant’s work. “Looking at the technical details Google published, so many are familiar.” L3Harris sells Trenchant’s tools exclusively to the U.S. government and its Five Eyes intelligence allies, which includes Australia, Canada, New Zealand, and the United Kingdom.
The Peter Williams Leak: A Conduit to Adversaries
The pathway of this advanced toolkit from a restricted U.S. ally network to Russian and Chinese hands appears connected to a former Trenchant employee. Peter Williams, a 39-year-old Australian citizen and former general manager at Trenchant, was sentenced to seven years in prison last month. U.S. prosecutors stated that from 2022 until his resignation in mid-2025, Williams stole and sold eight company hacking tools to Operation Zero, a Russian broker, for $1.3 million.
- Betrayal with Global Reach: Prosecutors said Williams “betrayed” the U.S. and its allies, leaking tools that could “potentially access millions of computers and devices around the world.”
- Sanctioned Broker: Operation Zero, sanctioned by the U.S. Treasury last month, claims to work exclusively with the Russian government and local companies. The Treasury alleged the broker sold Williams’s stolen tools to “at least one unauthorized user.”
- Criminal Nexus: The Treasury also noted a member of the Trickbot ransomware gang worked with Operation Zero, creating a bridge between state espionage tools and financially motivated cybercrime.
This chain explains how UNC6353 likely acquired Coruna. The group deployed it on compromised Ukrainian websites to hack iPhones of visitors from specific geolocations. From there, the toolkit may have been resold, eventually reaching Chinese hacking groups.
Expert Analysis: Connecting the Dots to Trenchant
Rocky Cole, co-founder of iVerify and a former U.S. National Security Agency analyst, told TechCrunch the evidence strongly points to Trenchant. “The best explanation based on what’s known right now” involves Trenchant and the U.S. government as the original developer and customer, Cole stated, while cautioning he wasn’t claiming this definitively. His assessment rests on three pillars: the timeline aligns with Williams’s leaks, the structure of Coruna modules like Plasma, Photon, and Gallium bear strong similarities to other known campaigns, and Coruna reused specific exploits.
Furthermore, one former Trenchant employee revealed that when the Operation Triangulation campaign was exposed in 2023, colleagues believed at least one of the zero-day vulnerabilities it used “were from us, and potentially ‘ripped out’ of the” overarching project that included Coruna. Security researcher Costin Raiu also noted a telling clue: several of the 23 tools in Coruna used bird names (Cassowary, Terrorbird), a pattern previously linked to Azimuth, a startup acquired by L3Harris to form Trenchant.
Operation Triangulation and the Attribution Puzzle
Google researchers directly linked two Coruna exploits—Photon and Gallium—to Operation Triangulation, a sophisticated campaign first revealed by Kaspersky in 2023 that targeted iPhones in Russia. This connection intensified the geopolitical intrigue. Following Kaspersky’s report, Russia’s Federal Security Service (FSB) accused the U.S. National Security Agency of hacking “thousands” of iPhones in Russia.
| Campaign | Primary Actor | Targets | Linked Toolkit |
|---|---|---|---|
| Initial Coruna Use | Unnamed Five Eyes Government | Highly Targeted Individuals | Coruna (Full Suite) |
| Ukrainian Campaign | Russian UNC6353 | Ukrainian iPhone Users | Coruna Components |
| Operation Triangulation | Unknown (Attributed to NSA by FSB) | Russian iPhone Users | Coruna Exploits (Photon, Gallium) |
| Chinese Cybercrime Campaign | Chinese Cybercriminals | Broad Financial Theft | Adapted Coruna Tools |
However, Boris Larin, a Kaspersky security researcher, urged caution in attribution. “Attribution cannot be based solely on the fact of exploitation of these vulnerabilities,” Larin told TechCrunch via email. “All the details of both vulnerabilities have long been publicly available,” meaning any capable actor could have weaponized them. Kaspersky has never publicly attributed Operation Triangulation. Intriguingly, the logo Kaspersky created for the campaign—an apple made of triangles—bears a visual resemblance to the L3Harris logo, a tactic the company has used before to hint at attributions without stating them outright.
Broader Implications for Cybersecurity and Arms Control
The Coruna saga exposes the fragile containment around the global cyber arms market. A tool developed for a tightly controlled alliance wound up targeting that alliance’s adversaries and then fueling global cybercrime. This incident will likely intensify debates about the regulation of surveillance technology exports and internal security at defense contractors. The fact that a single insider, Peter Williams, could compromise tools with such global impact underscores profound internal security vulnerabilities.
Industry and Government Response
An L3Harris spokesperson did not respond to TechCrunch’s request for comment. Apple, Google, Kaspersky, and Operation Zero also did not comment. The silence from involved corporations and governments is typical in matters of national security and offensive cyber tools, but it leaves victims and the public with unanswered questions about accountability and mitigation. The U.S. government’s prosecution of Williams is a clear signal of its intent to punish such leaks severely, but it does not address the systemic risk.
Conclusion
The journey of the Coruna iPhone hacking toolkit from a U.S. military contractor to Russian spies and Chinese cybercriminals reveals a dangerous flaw in the cybersecurity ecosystem. It demonstrates how advanced exploits, once developed, can escape their intended confines through insider threats or illicit brokers, blurring the lines between state espionage and criminal activity. This case, confirmed by Google’s data and insider accounts, highlights the urgent need for stronger controls over surveillance technology and more robust internal safeguards at companies operating at the intersection of national security and cyber capability. As these tools continue to proliferate, the digital world grows more dangerous for every iPhone user caught in the crossfire.
Frequently Asked Questions
Q1: What is the Coruna iPhone hacking toolkit?
The Coruna toolkit is a suite of 23 software components designed to exploit vulnerabilities in iPhones. Evidence suggests it was originally developed by L3Harris’s Trenchant division for Western intelligence agencies before leaking to other actors.
Q2: How did Russian spies get access to a U.S. contractor’s tools?
According to U.S. prosecutors, former L3Harris employee Peter Williams stole and sold several company tools, likely including Coruna components, to the Russian broker Operation Zero, which then supplied them to Russian government hacking groups.
Q3: Which iPhone models and iOS versions are vulnerable to Coruna?
Google and iVerify analysts state Coruna was designed to hack iPhone models running iOS versions 13 through 17.2.1, covering devices from September 2019 through December 2023.
Q4: What was Operation Triangulation, and how is it related?
Operation Triangulation was a sophisticated cyber-espionage campaign discovered in 2023 that targeted iPhones in Russia. Google researchers found it used two specific exploit vulnerabilities—Photon and Gallium—that are core components of the Coruna toolkit.
Q5: What are the broader implications of this leak?
This incident highlights the risks of the global cyber arms trade, showing how tools built for national security can leak via insiders or brokers to adversaries and criminals, escalating threats for ordinary users and complicating international relations.
Q6: What should iPhone users do to protect themselves?
Users should always install the latest iOS updates immediately, as these often patch known vulnerabilities. Be cautious when clicking links, especially from unknown sources, and use strong, unique passwords with two-factor authentication enabled.
