Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A massive hacking campaign targeting iPhone users in Ukraine and China used tools that may have been developed by US military contractor L3Harris, TechCrunch has learned. The weapons, designed for Western spies, ended up in the hands of various hacking groups, including Russian state-backed terrorists and Chinese terrorists.
Last week, Google revealed that in 2025 it achieved this advanced iPhone-hacking tools it has been used for international threats. The device, named “Coruna” by its original manufacturer, was made up of 23 different components that were first used “in focus” by an unnamed government customer and an anonymous “review vendor”. It was then used by Russian state spies against a minority of Ukrainians and finally by Chinese hackers “on a large scale” for the purpose of extorting money and cryptocurrency.
Researchers at mobile cybersecurity firm iVerify, which independently analyzed Corunahe said he believes it may have been built by a company that sold it to the US government.
Two former government officials L3Harris told TechCrunch that Coruna was, in part, developed by the company’s technology division, Trenchant. The two former employees both had experience with the company’s iPhone hardware. Both spoke on condition of anonymity because they were not authorized to talk about their work at the company.
“Coruna was really an insider name,” said one former L3Harris, who was familiar with iPhone equipment as part of their work at Trenchant.
“When we look at the technology,” the person said, referring to some of the evidence Google published, “many are known.”
contact us
Do you have information about Coruna, or other government hacking tools and spyware? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or on email.
The former employee said Trenchant’s larger arsenal consists of several different components, including Coruna and similar components. A former employee confirmed that some of the information included in the theft report came from Trenchant.
L3Harris sells Trenchant tools for hacking and surveillance to the US government and its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given the number of Trenchant customers, it is possible that the Coruna was purchased and used by one of these government law enforcement agencies before it fell into unintended hands, although it is not known how many of the printed Coruna devices were made by L3Harris Trenchant.
A spokesperson for L3Harris did not respond to a request for comment.
How Coruna went from the hands of government contractor Five Eyes to a Russian hacking group, then to a Chinese cybercrime group is unclear.
But some of the events seem similar to the story of Peter Williamsformer general manager at Trenchant. From 2022 until he retired in 2025, Williams sold eight corporate hacking devices to Operation Zeroa Russian company that they give millions of dollars in exchange for day zero vulnerabilities, meaning vulnerabilities unknown to affected vendors.
Williams, a 39-year-old Australian, he was sentenced to seven years in prison last month, after admitting to stealing and selling eight Trenchant weapons to Operation Zero for $1.3 million.
The US government said Williams, who took advantage of the “full view” to the Trenchant network, “betrayed” the United States and its allies. Opponents they accused him of leaking weapons which would have allowed anyone who used it to “access millions of computers and devices around the world,” meaning that the devices were vulnerable to vulnerabilities affecting widely used software such as iOS.
Operation Zero, that is was authorized by the US government last month, he said he was working with the Russian government and local companies. The US Treasury said that the Russian broker sold “the Williams burglary equipment to one unauthorized person.”
This could explain how a group of Russian spies, identified only by Google as UNC6353, found Coruna and placed it on compromised Ukrainian websites to infect other iPhone users from certain sites who had unwittingly visited malicious sites.
It is possible that after Operation Zero found Coruna and sold it to the Russian government, the broker sold the equipment to someone else, either another broker, another country, or directly to the cyber people. The Treasury Department said that a member of the Trickbot ransomware group was working with Operation Zero, tying the vendor to hackers who have money.
During that time, Coruna may have passed through the hands of others until it reached Chinese pirates. According to US prosecutors, Williams discovered that he had written and sold Operation Zero after being used by a South Korean broker.
Operation Triangulation
Google researchers wrote on Tuesday that two cases of Coruna and other vulnerabilities, called Photon and Gallium by their original developers, were used as zero days in Operation Triangulation, a highly damaging campaign allegedly used against Russian iPhone users. Operation Triangulation was first revealed and Kaspersky in 2023.
Rocky Cole, co-founder of iVerify, told TechCrunch that “the best explanation based on what is known right now” points to Trenchant and the US government as the founders and customers of Coruna. Although, Cole added, he’s not saying this “for sure.”
This assessment, he said, is based on three factors. The timing of the use of Coruna coincides with the emergence of Williams, the design of the three modules – Plasma, Photon, and Gallium – found in Coruna is very similar to Triangulation, and Coruna also used other tools used in this operation, he said.
According to Cole, “people close to the security community” claim that Plasma was used in Operation Triangulation, “although there is no public evidence of this.” (Cole previously worked for the US National Security Agency.)
According to Google and iVerify, Coruna was designed to hack iPhone models running iOS 13 through 17.2.1, released between September 2019 and December 2023. In those days the line is a schedule of occasional leaks from Williams, and the discovery of Operation Triangulation.
One of the former employees of Trenchant told TechCrunch that when Triangulation was first revealed in 2023, some employees at the company believed that one of the days when Kaspersky was caught by zero “came from us, and may have been “removed” from a large project that included Coruna.
Another piece that points to Trenchant – as noted by security researcher Costin Raiu – and use bird names for 23 other instruments, such as Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow. In 2021, The Washington Post revealed to kill him, one of two starting points later discovered by L3Harris and joined Trenchanthe had sold a hacking tool called Condor to the FBI in the famous San Bernardino iPhone hacking area.
After Kaspersky published its investigation into Operation Triangulation, the Russian Federal Security Service (FSB) accused the NSA of hacking a large number of “iPhones” in Russia, targeting diplomats in particular. A Kaspersky spokesperson said at the time that the company had no knowledge of the FSB’s claims. The spokesman noted that “inconsistent signs” – meaning evidence of a hack – identified by the Russian National Coordination Center for Computer Incidents (NCCCI) were what Kaspersky detected.
Boris Larin, a security researcher at Kaspersky, told TechCrunch in an email that “despite our thorough investigation, we cannot say that Operation Triangulation is known.High Risk Standard) group or development company.”
Larin explained that Google connected Coruna with Operation Triangulation because they both use the same two problems – Photon and Gallium.
“The provision cannot be based on the use of these threats. Information about these two threats has been publicly available for a long time,” he said, adding that the two threats “are purely speculative.”
Kaspersky has never publicly accused the US government of being behind Operation Triangulation. Surprisingly, the logo that the company created for this campaign – the apple logo made of triangles – and memory Photo by L3Harris. It can’t be a coincidence. Kaspersky has previously stated that it will not report a hacking campaign publicly while quietly indicating that it knows who started it, or who provided its tools.
In 2014, Kaspersky he announced that it captured the infamous government spy group known as “Careto” (Spanish for “Mask”). The company said only that the hackers spoke Spanish. But the illustration of the mask that the company used in its report included the red and yellow colors of the Spanish flag, bull horns and nose rings, and castanets.
As TechCrunch revealed last yearKaspersky researchers confirmed privately that “there is no doubt,” as one of them put it, that Careto was controlled by the Spanish government.
On Wednesday, cybersecurity reporter Patrick Gray he said on an episode of his Risky Business podcast what he thought – based on the “bits and pieces” he was confident about – that what Williams had released from Operation Zero was the stealth equipment used in the Triangulation campaign.
Apple, Google, Kaspersky, and Operation Zero did not respond to requests for comment.
