Leaked Hacker Tools Threaten Hundreds of Millions of iPhones

1. Event Overview

1.1 Background

Security researchers discovered two advanced iPhone jailbreak tools, Coruna and DarkSword, have been leaked to the Internet, making them publicly downloadable. Historically, large‑scale iPhone attacks were rare; the leak now puts billions of devices running older iOS versions at risk.

1.2 Scope

Affected devices: over 2.5 billion active Apple devices

Impacted iOS versions: iOS 13‑iOS 26 (partial)

Targets: iPhone and iPad users

Leakage: parts of DarkSword posted on GitHub for anyone to download

2. Tool Details

2.1 What are Coruna and DarkSword?

Both are sophisticated exploit kits that can exfiltrate SMS, browser data, location history, and cryptocurrency wallet information.

Coruna exploits devices running iOS 13‑iOS 17.2.1 (iOS 17.2.1 released Dec 2023).

DarkSword targets iOS 18.4 and iOS 18.7 (expected Sep 2025) and has been partially released on GitHub as a “plug‑and‑play” attack tool.

2.2 Attack Flow

Phishing website – user visits a maliciously controlled site.

Watering‑hole – legitimate sites compromised to deliver the payload.

Exploit – multiple iOS vulnerabilities give the attacker full device control.

Data exfiltration – stolen data is uploaded to attacker‑controlled servers.

3. Origin Analysis

3.1 Coruna’s provenance

TechCrunch reported that parts of Coruna were originally developed by Trenchant, the cyber‑espionage division of defense contractor L3Harris, which sells exploits to governments and allies. Kaspersky linked two Coruna vulnerabilities to “Operation Triangulation,” a suspected state‑sponsored campaign against Russian iPhone users.

3.2 Leak pathway

The article notes that even tightly guarded U.S. tools can leak, citing the 2017 NSA exploit leak that later powered the WannaCry ransomware.

3.3 DarkSword status

Researchers observed DarkSword targeting users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. The developer’s identity, how the tool entered various hacker groups, and why it was posted online remain unknown.

4. Online Leak Details

4.1 Release process

Portions of DarkSword have been uploaded to GitHub, where they can be downloaded and deployed. TechCrunch confirmed the tools are written in HTML and JavaScript, making configuration relatively easy. Lookout senior researcher Justin Albrecht described DarkSword as essentially “plug‑and‑play.”

4.2 GitHub’s response

“GitHub’s Acceptable Use Policy prohibits content that directly supports illegal active attacks or causes technical harm, but we do not ban source code that could be used to develop malware or exploits because it has educational value for the security community.”

5. Mitigation Recommendations

5.1 Update immediately

Apple states that devices running the latest iOS 15‑iOS 26 are protected. Security firm iVerify recommends updating to iOS 18.7.6 or iOS 26.3.1 to mitigate the vulnerabilities exploited by the disclosed attack chain. Apple’s own statistics show roughly one‑third of iPhone and iPad users have not yet upgraded to iOS 26.

5.2 Enable Lockdown Mode

For users unable or unwilling to upgrade, enabling Lockdown Mode can block the specific attacks. Lockdown Mode is intended for journalists, dissidents, human‑rights activists, and other high‑risk individuals. No public evidence currently shows that attackers can bypass this protection.

6. Conclusion

The incident underscores that once powerful cyber weapons leak, their impact can far exceed expectations, echoing past events such as the Snowden disclosures and the WannaCry ransomware outbreak. Users should promptly update their iOS version, consider enabling Lockdown Mode, and remain vigilant against suspicious links and websites.