Originally reported by Schneier on Security, WIRED Security
TL;DR
Google researchers identified Coruna, a sophisticated US government iPhone hacking toolkit exploiting 23 iOS vulnerabilities that leaked to Russian government and cybercriminals. Meanwhile, the 2026 US Cyber Strategy suggests controversial hackback permissions for private companies.
The leak of sophisticated US government iPhone hacking tools to adversaries and cybercriminals represents a significant operational security failure with national security implications. The toolkit exploits 23 iOS vulnerabilities and is now in hostile hands.
Google security researchers disclosed "Coruna," a highly sophisticated iPhone exploitation framework that leverages 23 distinct iOS vulnerabilities across five complete attack chains. The toolkit enables silent malware installation through drive-by web exploits, bypassing all iPhone security defenses.
According to iVerify cofounder Rocky Cole, the codebase bears clear indicators of US government origin, including English-language development patterns and architectural similarities to previously attributed government tools. Two former L3Harris employees confirmed to TechCrunch that Coruna was developed by the company's Trenchant division, which specializes in surveillance technology.
The operational security breach appears to stem from an L3Harris Trenchant employee who allegedly sold the toolkit to Russian government entities. From there, it proliferated to cybercriminal groups, marking the first confirmed case of US government hacking tools "spinning out of control" and being weaponized by adversaries.
The incident highlights the inherent risks in developing sophisticated cyber weapons: once deployed, control over these capabilities can be lost entirely.
The 2026 "Cyber Strategy for America" document contains language suggesting potential authorization for private sector offensive cyber operations. The key phrase states the government will "unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities."
Security expert Bruce Schneier warns against this approach, arguing that hackback in peacetime constitutes vigilante justice rather than legitimate counterattack. The fundamental challenges include:
Schneier draws parallels to historical letters of marque, arguing that modern cyber operations require the same legal protections and due process standards that govern physical world conflicts.
WIRED conducted an analysis of Department of Homeland Security records, identifying dozens of specialized federal agents who used force against US civilians during what the publication characterizes as "the largest known deployment of its kind in US history."
The analysis focused on Border Patrol Tactical Unit (BORTAC) and Border Patrol Search, Trauma, and Rescue (BORSTAR) operations, providing unprecedented visibility into federal law enforcement activities during immigration enforcement operations.
While the article does not detail specific findings, the methodology demonstrates how public records analysis can reveal patterns in federal agent deployments and use of force incidents that might otherwise remain opaque to public scrutiny.
Originally reported by Schneier on Security, WIRED Security
