A common assumption among iPhone security experts has been that discovering iOS vulnerabilities and developing exploits is difficult, requiring significant time, resources, and a team of skilled researchers to penetrate layers of security defenses. This means that iPhone spyware and zero-day vulnerabilities are rarely known to software vendors before being exploited and, as Apple itself has stated, are only used in limited, targeted attacks.
But last month, cybersecurity researchers at Google, iVerify, and Lookout documented multiple large-scale hacking campaigns using tools known as Coruna and DarkSword. These campaigns almost indiscriminately targeted victims around the world who were not already running Apple's latest software. Some of the hackers behind these attacks include Russian spies and Chinese cybercriminals, who target victims through hacked websites and fake pages and potentially steal phone data from numerous victims.
Now, some of these tools have leaked online, making it easy for anyone to obtain the code and launch attacks against Apple users running older versions of iOS.
Apple has invested significant resources in new security and development technologies, including introducing memory-safe code in its latest iPhone models and features such as lockdown mode to combat potential spyware attacks. The goal was to make the latest iPhones more secure and strengthen the argument that iPhones are extremely difficult to hack.
However, there are still many older and outdated iPhones, making them easy targets for spies and cybercriminals using spyware.
There are currently two basic security classes for iPhone users.
Users using the latest iOS 26 running on the latest iPhone 17 models released in 2025 have a new security feature called Memory Integrity Enforcement. This is designed to thwart memory corruption bugs, one of the most commonly exploited flaws in spyware and cell phone unlock attacks. According to Google, DarkSword relied heavily on a memory corruption bug.
Additionally, some iPhone users are still running the previous version of Apple's mobile software, iOS 18, or older versions that have been vulnerable to memory-based hacks and other exploits in the past.
Contact Us Want more information about DarkSword, Coruna, or other government hacking and spyware tools? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or by email.
The findings of Coruna and DarkSword suggest that memory-based attacks may continue to plague users of older iPhones and iPads, which lag behind newer, more memory-secure models.
Experts at iVerify and Lookout, cybersecurity companies with commercial interests in selling security products for mobile devices, say Coruna and DarkSword could also challenge the long-held assumption that iPhone hacks are rare.
Matthias Frielingsdorf, co-founder of iVerify, told TechCrunch that mobile attacks are now “pervasive,” but he also said that attacks that rely on zero-days against modern software “will always come at a premium,” suggesting they won't be used to hack people at scale.
Patrick Wardle, an Apple security expert, said part of the problem is that people call attacks on the iPhone unusual or sophisticated simply because they are rarely documented. But in reality, he said, while such attacks may exist, they are not always caught.
“Calling them 'highly advanced' is like calling a tank or a missile advanced,” Wardle told TechCrunch. “That's true, but that's beside the point. It's just basic capabilities at that level, and all (most) countries have them (or can get them for the right price).”
Another problem highlighted by Coruna and DarkSword is that there is now a clearly thriving “second-hand” market, which creates a financial incentive for “exploit developers and individual brokers to essentially get paid twice for the same exploit,” said Justin Albrecht, Principal Researcher at Lookout.
Especially if the initial exploit is patched, it makes sense for brokers to resell it before everyone updates.
“This is not a one-time event, but rather a sign of things to come,” Albrecht told TechCrunch.