The Russian government spies on iPhones using a tool created for the USA

Over the course of 2025, a vast and complex cyber espionage campaign has affected numerous owners of iPhone in Ukraine and China.

What makes this incident particularly serious is not only the scale of the attacks, but the origin itself of the tools used to penetrate the devices.

According to recent investigations conducted by Google’s security teams and corroborated by independent researchers, the architecture used, known by the code name “Coruna”, had originally been designed for Western intelligence agencies.

This sophisticated software package has progressively ended up in the hands of Russian government agents and, subsequently, Chinese cybercriminals.

US tool for spying on iPhones ends up in the hands of Russian and Chinese governments

The compromise kit comprises 23 distinct components, originally designed for highly sophisticated operations.

Technical analyses, combined with revelations from anonymous former employees, decisively point toward L3Harris, a well-known US defense contractor, and specifically toward its division Trenchant.

This company develops and provides infiltration technologies exclusively to the US government and to Five Eyes partners.

How did such delicate software get through the tightest geopolitical barriers? The answer lies in the illicit actions of a single individual.

Between 2022 and mid-2025, a former executive of the Trenchant division stole and sold 8 proprietary tools to Operation Zero, a Russian company specialized in purchasing zero-day vulnerabilities.

In exchange for about 1.3 million dollars, these strategic assets were ceded to an entity operating in direct contact with Moscow’s institutions, exposing systems around the world.

The United States government has confirmed that the Russian intermediary later shared or resold this code to unauthorized third parties, triggering a chain reaction. This handover allowed the Kremlin-affiliated espionage group, identified by Google as UNC6353, to come into possession of Coruna.

From targeted espionage to large-scale crime

Once the arsenal was acquired, the Russian agents implemented it to compromise specific Ukrainian websites. The attack was extremely surgical: the software infected the devices of Apple users located in certain geographic areas who, unaware of it, visited manipulated portals.

However, the spread of the code did not stop within the military and governmental sphere.

The kit inexorably slipped toward the digital black market, landing on Chinese hackers’ servers. They have altered the weapon’s nature, turning a surveillance tool into a means to conduct massive financial fraud, stealing traditional currency and cryptocurrencies from thousands of victims.

This highlights how evidently difficult it is to contain the spread of cyber weapons once stolen from their original creators.

The clues and the precedents

Analysts have identified clear and unequivocal links between Coruna and another infamous cyber offensive discovered by Kaspersky in 2023, dubbed Operation Triangulation.

Both campaigns exploit identical vulnerabilities, internally named Photon and Gallium, sharing also entirely overlapping structural modules.

Evidence of a US-origin matrix also emerges from seemingly marginal details, such as the habit of L3Harris to assign bird names to its software: several Coruna components bear names such as Cassowary and Sparrow.

Although there have never been formal accusations by cybersecurity companies, the sector has its ways of communicating its discoveries.

The same Kaspersky, when publishing the details of Operation Triangulation, had designed and circulated a logo for the campaign that closely mirrored the L3Harris brand, subtly suggesting the technology’s provenance without having to declare it openly.