A massive hacking campaign targeting iPhone users in Ukraine and China used tools likely designed by US military contractor L3Harris, a TechCrunch investigation found. The tool was intended for Western spies, but ended up in the hands of various hacking groups, including Russian government spies and Chinese cybercriminals.
Last week, Google revealed that it discovered that an advanced iPhone hacking toolkit had been used in a series of global attacks dating back to 2025. The toolkit, named “Coruna” by its original developer, consisted of 23 different components that were initially used “in highly targeted operations” by an anonymous government customer of an unspecified “surveillance vendor.” It was then used by Russian government spies against a limited number of Ukrainians, and finally by Chinese cybercriminals in a “large scale” campaign aimed at stealing money and cryptocurrencies.
Researchers at mobile cybersecurity firm iVerify, who conducted an independent analysis of Coruna, said they believe Coruna may have been built by a company that originally sold it to the U.S. government.
Two former employees of government contractor L3Harris told TechCrunch that Coruna was developed, at least in part, by the company's hacking and surveillance technology division, Trenchant. Both former employees had knowledge of the company's iPhone hacking tools. The people spoke on condition of anonymity because they were not authorized to discuss their work at the company.
“Coruna was definitely the internal name of the component,” said one former L3Harris employee who was familiar with iPhone hacking tools as part of his work at Trenchant.
“If you look at the technical details, a lot of it is well known,” the person said of some of the evidence Google released.
Contact Us Want more information about Coruna or other government hacking and spyware tools? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or by email.
Former employees said the comprehensive Trenchant toolkit includes several different components, including Coruna and related exploits. Another former employee acknowledged that some of the details included in the published hacking toolkit came from Trenchant.
L3Harris sells Torrent's hacking and surveillance tools exclusively to the U.S. government and its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given Trenchant's limited number of customers, it is possible that Coruna was originally acquired and used by one of these government intelligence agencies and then fell into unintended hands, but it is unclear how much of the publicly available Coruna hacking toolkit was developed by L3Harris Trenchant.
A spokesperson for L3Harris did not respond to a request for comment.
It is unclear how Koruna passed from the hands of Five Eyes government contractors to a Russian government hacking group and then to a Chinese cybercriminal organization.
But parts of the situation seem similar to the case of former Trenchant general manager Peter Williams. From 2022 until he resigned in mid-2025, Williams sold eight companies' hacking tools to Operation Zero. This is a Russian company offering millions of dollars in exchange for zero-day exploits, which means unknown vulnerabilities for affected vendors.
Williams, a 39-year-old Australian national, was sentenced to seven years in prison last month after admitting stealing eight Trenchint hacking tools and selling them to Operation Zero for $1.3 million.
The US government said Williams used his “complete access” to Trentint's network to “betray” the United States and its allies. Prosecutors have accused him of leaking tools that could have given those who used them “potential access to millions of computers and devices around the world,” suggesting the tools exploited vulnerabilities affecting widely used software such as iOS.
Operation Zero, authorized by the US government last month, claims to work only with the Russian government and local companies. The US Treasury claimed that a Russian broker sold Williams' “stolen tools to at least one unauthorized user.”
That would explain how a Russian spy group, identified only by Google as UNC6353, obtained Coruna, deployed it to compromised Ukrainian websites, and hacked certain iPhone users from their specific locations where they unwittingly visited the malicious site.
Operation Zero may have acquired Coruna and sold it to the Russian government, but the broker may have resold the toolkit to someone else, perhaps another broker, another country, or even cybercriminals directly. The Treasury Department alleged that members of the Trickbot ransomware gang collaborated with Operation Zero, linking brokers to financially motivated hackers.
At that point, Coruna may have passed into other hands before reaching Chinese hackers. U.S. prosecutors said Williams realized that the code he had written and sold to Operation Zero was later used by a Korean broker.
Next to the L3Harris logo is the logo created by Kaspersky for Operation Triangulation. Image credits: Kaspersky and L3Harris
triangulation operation
Google researchers wrote Tuesday that two specific Coruna exploits and underlying vulnerabilities, called Photon and Gallium by their original developers, were used as zero-days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users. Operation Triangulation was first revealed by Kaspersky in 2023.
iVerify co-founder Rocky Cole told TechCrunch that “the best explanation based on what we know at this point” points to Trentint and the U.S. government as Coruna's original developers and customers. However, Cole added that he was not making this claim “categorically.”
He said the evaluation is based on three factors. The timeline of Coruña's use matches Williams' leak. The structure of the three modules in Coruna (plasma, photon, and gallium) is very similar to triangulation. Coruna then reused some of the same exploits used in that operation.
Cole said “people close to the defense community” claim the plasma was used in a triangulation operation, but “there is no public evidence of that.” (Cole previously worked for the U.S. National Security Agency.)
According to Google and iVerify, Coruna was designed to hack iPhone models running iOS 13 to 17.2.1 released between September 2019 and December 2023. These dates align with the timeline of some of Williams' leaks and the discovery of Operation Triangulation.
One former Trenchant employee told TechCrunch that when Triangulation first came to light in 2023, other employees at the company believed that at least one of the zero-days captured by Kaspersky Lab “came from our company and could have been 'stolen' from an overarching project that included Coruna.”
As security researcher Costin Raiu pointed out, another breadcrumb pointing to Trenchant is the use of bird names for some of its 23 tools, including Cassowary, Terrorbird, Bluebird, Jacultu, and Sparrow. In 2021, the Washington Post revealed that Azimuth, one of two startups later acquired by L3Harris and merged with Trenchant, sold a hacking tool called Condor to the FBI in the infamous San Bernardino iPhone cracking scandal.
After Kaspersky published its findings on the triangulation operation, Russia's Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, specifically targeting diplomats. A Kaspersky spokesperson said at the time that the company had no information about the FSB's allegations. A spokesperson said the “indications of compromise” (meaning evidence of hacking) identified by Russia's National Computer Incident Coordination Center (NCCCI) were the same as those identified by Kaspersky Lab.
Boris Larin, a security researcher at Kaspersky Lab, told TechCrunch in an email: [Advanced Persistent Threat] group or exploit development company. ”
Larin explained that Google linked Coruna to Operation Triangulation because they both exploit the same two vulnerabilities: Photon and Gallium.
“Attribution cannot be based solely on the fact that these vulnerabilities were exploited. All details of both vulnerabilities have been public for a long time, so anyone could have exploited them,” he said, adding that these two common vulnerabilities are “just the tip of the iceberg.”
Kaspersky has never publicly accused the US government of being behind the triangulation operation. Interestingly, the logo the company created for the campaign (an apple logo made up of several triangles) is reminiscent of the L3Harris logo. That may not be a coincidence. Kaspersky has previously said it does not publicize its hacking operations, but has quietly suggested that it actually knows who was behind it and who provided the tools.
In 2014, Kaspersky announced that it had captured a sophisticated and elusive government hacking group known as “Careto” (Spanish for “mask”). The company said only that the hackers spoke Spanish. However, the mask illustrations the company used in its report included the red and yellow of the Spanish flag, bull horns and a nose ring, and castanets.
As TechCrunch revealed last year, Kaspersky researchers privately concluded that there was “no doubt” that Careto was run by the Spanish government, as one of the researchers put it.
On Wednesday, cybersecurity journalist Patrick Gray said on an episode of his podcast “Risky Business” that he believed, based on “pieces and pieces” of which he was confident, that what Williams leaked to Operation Zero was the hacking kit used in the triangulation operation.
Apple, Google and Operation Zero did not respond to requests for comment.
This post was originally published at 6:56 PM PT