Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Security researchers have uncovered several cyberattacks targeting Apple customers around the world. The tools used in the hacking campaigns were named crown and DarkSwordand has been used by government spies and cybercriminals to hack people’s iPhones and iPads.
It is rare to see common hacks targeting iPhone and iPad users. In the last decade, only the beginnings have been attacking the Muslim Uyghurs in Chinaand people in Hong Kong.
Now, some of the powerful hacking tools are leaked onlineputting hundreds of millions of iPhones and iPads running out of outdated software at risk of data theft.
We break down what we know and don’t do about the latest iPhone and iPad security threats, and what you can do to stay safe.
What is Coruna and DarkSword?
Coruna and DarkSword are two groups of advanced tools that each have several features that can hack iPhones and iPads, and steal personal information, such as their messages, browser data, history, and cryptocurrency.
Security researchers who discovered the tools say Coruna’s exploits can jailbreak iPhones and iPads running iOS 13 through iOS 17.2.1, which was released in December 2023.
DarkSword, however, had tools capable of hacking the latest iPhones and iPads running iOS 18.4 and 18.7, which were released in September 2025, according to Google security researchers investigating the code.
But the threat from DarkSword is more recent for ordinary people. Someone downloaded the DarkSword module and published it on the code-sharing site GitHubmaking it easy for anyone to download malicious code and launch their own attacks targeting Apple users with older versions of iOS.
How do Coruna and DarkSword work?
This type of attack is meant to be indiscriminate and dangerous, as it can trap anyone who visits a website with malicious code.
contact us
Do you have information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or on email.
In some cases, victims can get scammed just by visiting a legitimate website under the supervision of the hackers.
Once victims are infected in the first place, Coruna and DarkSword exploit a number of vulnerabilities in iOS that allow hackers to gain control of the target device, allowing them to steal the user’s personal information. The data is uploaded to a web server controlled by the hackers.
At least some parts of Coruna equipment, as TechCrunch previously reportedwas originally developed by Trenchant, a hacking and spyware group within the US security firm L3Harris, which sells assets to the US government and its elite agencies.
Kaspersky also linked two incidents in Coruna devices Operation TriangulationA complex and possibly government-led coup d’état took place against Russian iPhone users.
After Trenchant built Coruna – in some way, it is not clear how – these operations found their way into the hands of Russian spies and Chinese pirates, probably through one or more middlemen who traded on the underground market.
Coruna’s travels also show that powerful weapons of mass destruction, including those developed in the US under covert sanctions, can trickle down and proliferate unchecked.
One example of this was in 2017 when a tool developed by the US National Security Agency, which was able to hack Windows computers around the world, was leaked online. A similar function was used the devastating WannaCry ransomware attackwho he broke randomly hundreds of thousands of computers around the world.
In the case of DarkSword, researchers observed that it was attacking users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. It’s still unclear who created DarkSword, how it ended up with various hacking groups, or how the tools ended up on the Internet.
It is unclear who released it and published it online at GitHub, or for what reason.
The hacking tools, which TechCrunch has seen, are written in the web’s HTML and JavaScript languages, making them easy to program and create on your own from anywhere and anyone who wants to launch an attack. (TechCrunch is not affiliated with GitHub as tools can be used to combat abuse.) Researchers send on X they have already tested the devices that went down by hacking their own Apple devices with the company’s vulnerable software.
DarkSword is now “plug-and-play,” as Justin Albrecht, senior researcher at mobile security firm Lookout, explained to TechCrunch.
GitHub told TechCrunch that it has not removed the downloaded code, but will keep it for security analysis.
“GitHub’s official policy prohibits posting content that directly supports illegal attacks or criminal campaigns that compromise technology,” GitHub’s cybersecurity consultant Jesse Geraci told TechCrunch. “However, we do not prohibit the posting of source code that can be used to create malware or exploits, as the dissemination and distribution of this source code is educational and provides value to the security community.”
Is my iPhone or iPad vulnerable to DarkSword?
If you have an older iPhone or iPad, you should consider upgrading right away.
Apple told TechCrunch that users of the latest versions of iOS 15 through iOS 26 are already protected.
According to iVerify: “We strongly recommend upgrading to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities used in these attack chains.”
According to Apple figures thatalmost one in three iPhone and iPad users are still not using the latest version of iOS 26. This means that there are hundreds of millions of devices that are vulnerable to these hacking tools, as Apple does more than 2.5 billion tools that work all over the world.
What if I can’t or don’t want to upgrade to iOS 26?
Apple also said that devices that use Lockdown Mode, an additional security feature that was first introduced in iOS 16it also blocks this special attack.
Lockdown Mode is useful for journalists, critics, human rights activists, and anyone who thinks they might want to check who they are, or what they do.
When Lockdown Mode he is not perfectthere has been no public evidence that hackers have been able to bypass its security so far. (We asked Apple if that claim is still true, and will update if we hear back.) Lockdown Mode was he found that he had stopped at least an attempt to plant spyware on a human rights defender’s phone.
