BOSTON, MA — June 9, 2026: A sophisticated mass hacking campaign targeting iPhone users across Ukraine and China likely originated with tools developed by American military contractor L3Harris, according to an exclusive TechCrunch investigation. The revelation, confirmed by former company employees, exposes a critical breach in the Western surveillance supply chain, where advanced iPhone hacking tools intended for Five Eyes intelligence agencies wound up in the hands of Russian government spies and Chinese cybercriminals. This global proliferation of a toolkit dubbed “Coruna” underscores the dangerous secondary market for state-grade cyber weapons and their unpredictable impact on global security.
The Coruna Toolkit: From U.S. Contractor to Global Threat
Google’s Threat Analysis Group first uncovered the Coruna toolkit in 2025, identifying 23 distinct components used in a series of escalating global attacks. Initially deployed in “highly targeted operations” by an unnamed government customer, the tools later appeared in Russian espionage campaigns against Ukrainians before Chinese cybercriminals adopted them for broad-scale financial theft. Researchers at mobile security firm iVerify, who independently analyzed the malware, immediately noted its professional grade and suspected U.S. government origins. Their assessment aligned with statements from two former employees of L3Harris’s elite Trenchant division, who confirmed to TechCrunch that Coruna was developed internally. “Coruna was definitely an internal name of a component,” said one former employee, who recognized technical details published by Google.
The timeline is particularly damning. Coruna was designed to hack iPhone models running iOS 13 through iOS 17.2.1—software versions current between September 2019 and December 2023. This window directly overlaps with the period when a Trenchant insider, Peter Williams, was actively stealing and selling company tools. L3Harris markets Trenchant’s capabilities exclusively to the U.S. government and its Five Eyes allies (Australia, Canada, New Zealand, the United Kingdom), making a leak from this tightly controlled ecosystem a significant intelligence failure.
The Insider Threat: How U.S. Tools Reached Russian Spies
The path from a secured U.S. contractor to foreign adversaries centers on a single individual: Peter Williams, a 39-year-old Australian former general manager at Trenchant. From 2022 until his resignation in mid-2025, Williams exploited his “full access” to company networks, systematically stealing and selling eight hacking tools to a Russian broker known as Operation Zero for $1.3 million. U.S. prosecutors stated these tools could have allowed access to “millions of computers and devices around the world.” Williams was sentenced to seven years in prison last month for betraying the United States and its allies. Operation Zero, sanctioned by the U.S. Treasury, claims to work exclusively with the Russian government and local companies, providing a direct pipeline for Williams’s stolen goods.
- Direct Pipeline to Espionage: The U.S. Treasury alleges Operation Zero sold Williams’s “stolen tools to at least one unauthorized user.” This likely explains how a Russian espionage group, identified by Google as UNC6353, acquired Coruna and deployed it on compromised Ukrainian websites to hack iPhones of visitors from specific locations.
- Weaponized for Crime: The Treasury further tied a member of the notorious Trickbot ransomware gang to Operation Zero, connecting the broker to financially motivated hackers. This link provides a plausible route for Coruna to eventually reach Chinese cybercriminals focused on stealing money and cryptocurrency.
- Global Proliferation: U.S. prosecutors noted Williams even recognized his own code, sold to Operation Zero, being resold and used by a South Korean broker, illustrating the tool’s rapid, uncontrolled diffusion across the global cyber underworld.
Expert Analysis: Connecting Coruna to Operation Triangulation
Technical evidence strongly ties the Coruna leak to one of the most sophisticated iPhone hacking campaigns ever discovered: Operation Triangulation. First exposed by Kaspersky in 2023, this campaign allegedly targeted Russian iPhone users using previously unknown “zero-day” exploits. Rocky Cole, co-founder of iVerify and a former NSA analyst, told TechCrunch the evidence points to Trenchant. “The best explanation based on what’s known right now” involves Trenchant and the U.S. government as the original developer and customer, Cole stated, citing three factors. First, Coruna’s use timeline aligns with Williams’s leaks. Second, Coruna modules named Plasma, Photon, and Gallium bear strong similarities to components used in Triangulation. Third, Coruna reused the same Photon and Gallium exploits deployed in that operation.
A Pattern of Covert Signaling and Bird-Themed Tools
Further breadcrumbs point to Trenchant’s involvement. Security researcher Costin Raiu noted that several of Coruna’s 23 tools use bird names—Cassowary, Terrorbird, Bluebird—a pattern consistent with past revelations about companies absorbed into Trenchant. In 2021, The Washington Post revealed that Azimuth, a startup later acquired by L3Harris, sold a tool called “Condor” to the FBI. Perhaps most strikingly, the logo Kaspersky created for Operation Triangulation—an apple made of triangles—bears a curious resemblance to the L3Harris logo. Kaspersky has a history of such covert attribution; in 2014, it subtly signaled that the “Careto” hacking group was run by the Spanish government through imagery in its report.
| Entity | Role in the Story | Key Action/Revelation |
|---|---|---|
| L3Harris (Trenchant) | Original Developer | Likely built the Coruna iPhone hacking toolkit for U.S./Five Eyes governments. |
| Peter Williams | Insider Threat | Stole and sold 8 Trenchant tools, including Coruna components, to Russian broker Operation Zero for $1.3M. |
| Operation Zero | Russian Broker | Purchased stolen tools, sold them to Russian espionage group UNC6353 and potentially to cybercriminals. |
| UNC6353 | Russian Espionage Group | Deployed Coruna in targeted attacks against iPhone users in Ukraine. |
| Chinese Cybercriminals | Final Users | Used Coruna in broad-scale campaigns to steal money and cryptocurrency. |
Geopolitical Fallout and the Blame Game
This leak has already fueled international tensions. Following Kaspersky’s 2023 report on Operation Triangulation, Russia’s Federal Security Service (FSB) publicly accused the U.S. National Security Agency (NSA) of hacking “thousands” of iPhones in Russia. While Kaspersky researcher Boris Larin told TechCrunch the company cannot definitively attribute Triangulation, he confirmed Google linked it to Coruna via the shared Photon and Gallium vulnerabilities. The public accusations and private technical evidence create a fog of geopolitical blame, complicating diplomatic relations and cybersecurity cooperation. The incident demonstrates how a single insider’s actions can provide adversaries with both powerful cyber capabilities and potent propaganda ammunition.
Industry and Government Response: A Silence Speaks Volumes
Official responses have been muted, which analysts interpret as a sign of the incident’s sensitivity. An L3Harris spokesperson did not respond to requests for comment. Apple, Google, and Operation Zero also remained silent. This silence from major corporations and the implicated contractor highlights the opaque nature of the surveillance-for-hire industry and the difficulty of establishing accountability when tools change hands in the shadows. The U.S. government’s primary action has been the prosecution of Williams and sanctions against Operation Zero, a reactive rather than preventative approach.
Conclusion
The journey of the Coruna toolkit from a secured U.S. military contractor to Russian spies in Ukraine and Chinese cybercriminals reveals a stark vulnerability in the national security ecosystem. It is not just a story of a rogue employee, but of a thriving gray market where state-grade cyber weapons are commodified, leaked, and repurposed with global consequences. The technical links to Operation Triangulation suggest the fallout from Peter Williams’s betrayal may be broader than currently understood. For policymakers, the case is a urgent call for stricter controls on the surveillance technology supply chain. For iPhone users worldwide, it is a reminder that the most sophisticated threats often originate not from shadowy hackers, but from the tools of powerful states, lost in transit.
Frequently Asked Questions
Q1: What is the Coruna toolkit and who built it?
The Coruna toolkit is a sophisticated suite of 23 components designed to hack iPhones. Based on an exclusive TechCrunch investigation and analysis by iVerify researchers, it was likely originally built by L3Harris’s Trenchant division for U.S. and allied intelligence agencies.
Q2: How did Russian spies get these U.S.-made hacking tools?
A former L3Harris employee, Peter Williams, stole the tools and sold them to a Russian broker called Operation Zero for $1.3 million. This broker then sold them to a Russian government espionage group, which used them in targeted attacks against iPhone users in Ukraine.
Q3: What is Operation Triangulation and how is it connected?
Operation Triangulation was a sophisticated hacking campaign first revealed by Kaspersky in 2023 that targeted iPhones, reportedly including those in Russia. Technical evidence shows it used the same core exploits (Photon and Gallium) found in the Coruna toolkit, strongly suggesting the leaked tools were used in this separate, major campaign.
Q4: What has been the U.S. government’s response to this leak?
The U.S. government prosecuted the insider, Peter Williams, sentencing him to seven years in prison. It has also sanctioned the Russian broker, Operation Zero. L3Harris and relevant agencies have not made public statements regarding the origin or loss of the tools.
Q5: Should ordinary iPhone users be worried about this specific toolkit?
The specific vulnerabilities Coruna exploited (targeting iOS 13 to 17.2.1) are likely now patched. However, the story highlights the persistent threat of powerful, state-developed hacking tools leaking into the criminal underground, underscoring the importance of keeping devices updated with the latest security patches.
Q6: What does this mean for the future of surveillance technology sales?
This incident will likely increase scrutiny and calls for stricter regulation of the commercial surveillance industry, particularly regarding insider threats and the resale of tools. It may push governments and contractors to implement more robust internal security and tool-tracking mechanisms.
