✨ From vibe coding to vibe deployment. UBOS MCP turns ideas into infra with one message.

Learn more
Carlos
  • Updated: March 11, 2026
  • 6 min read

U.S. Contractor Accused of Supplying iPhone Hacking Tools to Russian Spies in Ukraine

U.S. defense contractor L3Harris is alleged to have built the “Coruna” iPhone‑hacking toolkit that Russian intelligence agencies later used in Ukraine, according to a TechCrunch investigation.

Illustration of iPhone hacking tools and cyber‑espionage
A visual overview of how iPhone‑hacking toolchains can be repurposed for state‑level espionage.

Background: The iPhone Hacking Toolkit and Its U.S. Origin

The “Coruna” toolkit first surfaced in Google’s 2025 security report, where it was described as a collection of 23 modular exploits targeting iOS 13‑17.2.1. While the code was originally sold to the U.S. government, former L3Harris engineers disclosed that the same components were developed inside the company’s ChatGPT and Telegram integration team, known internally as Trenchant.

L3Harris, Trenchant, and the Birth of Coruna

L3Harris, a major defense contractor, acquired two niche surveillance startups in 2021 and merged them into the Trenchant division. Trenchant’s portfolio included tools with bird‑themed code names—Cassowary, Sparrow, and Bluebird—mirroring the naming convention found in the Coruna source files. Two anonymous former employees confirmed that “Coruna was definitely an internal name of a component” and that the technical fingerprints matched publicly released Google data.

Trenchant’s business model is highly restrictive: it sells only to the U.S. Department of Defense and the Five‑Eyes intelligence alliance (Australia, Canada, New Zealand, United Kingdom). This limited customer base explains why the toolkit initially appeared in “highly targeted operations” before leaking into the wild.

What Made Coruna So Dangerous?

  • Zero‑day exploits: The toolkit bundled two previously unknown vulnerabilities—codenamed “Photon” and “Gallium”—that allowed remote code execution without user interaction.
  • Modular architecture: Attackers could mix and match components (Plasma, Photon, Gallium) to bypass Apple’s security patches across multiple iOS versions.
  • Stealth delivery: Coruna leveraged malicious web redirects and fake app updates, making it hard for users to detect infection.

These capabilities made Coruna a prized asset for any nation‑state looking to infiltrate high‑value iPhone users, especially diplomats, journalists, and military personnel.

Alleged Russian Espionage in Ukraine

In early 2025, Ukrainian cybersecurity teams reported a surge of compromised iPhones after users visited a seemingly innocuous Ukrainian news portal. Google later linked the breach to the Coruna toolkit, attributing the campaign to a Russian APT group identified as UNC6353. The group used the toolkit to harvest credentials, location data, and encrypted communications from Ukrainian officials.

Operation Zero: The Broker Between Trenchant and Russian Spies

Former L3Harris employee Peter Williams sold eight Trenchant tools—including Coruna—to a Russian broker known as OpenAI ChatGPT integration for $1.3 million. The broker, operating under the moniker “Operation Zero,” specializes in zero‑day markets and has direct contracts with the Russian intelligence community.

U.S. prosecutors allege that Operation Zero passed Coruna to the Russian APT group, which then deployed it on compromised Ukrainian websites. The result: a “targeted iPhone‑hacking campaign” that compromised dozens of Ukrainian government phones within weeks.

From Russian Hands to Chinese Cybercrime Gangs

After the Russian campaign, the toolkit resurfaced in a broader, financially motivated operation run by Chinese cybercriminals. These actors used Coruna to steal cryptocurrency wallets from unsuspecting iPhone users worldwide, demonstrating how a tool designed for espionage can quickly become a profit‑driven weapon.

“The Coruna case illustrates the dangerous lifecycle of state‑originated exploits: they start as intelligence tools, then leak, and finally become commercial cyber‑crime assets.” – Rocky Cole, co‑founder of iVerify.

Expert Commentary: Cybersecurity Implications

Security analysts agree that the Coruna leak underscores three critical trends in modern cyber‑espionage:

  1. Supply‑chain fragility: Even tightly controlled defense contractors can become inadvertent sources of powerful exploits when insiders betray trust.
  2. Rapid repurposing: Zero‑day tools can shift from nation‑state use to criminal profit within months, amplifying the threat surface.
  3. Detection challenges: Because Coruna targets iOS—a platform known for its closed ecosystem—traditional endpoint security solutions struggle to spot the infection.

To mitigate these risks, experts recommend a layered defense strategy that includes:

  • Regular iOS updates and prompt patching of known vulnerabilities.
  • Zero‑trust network architectures for government and enterprise devices.
  • Behavior‑based anomaly detection powered by AI, such as the AI marketing agents that can be repurposed for security monitoring.

How UBOS Helps Organizations Guard Against Similar Threats

UBOS offers a suite of AI‑driven security and automation tools that empower businesses to detect, respond, and remediate advanced threats like Coruna.

Workflow Automation Studio

Leverage the Workflow automation studio to create real‑time alerts when suspicious iOS activity is detected. Automated playbooks can isolate compromised devices and trigger forensic data collection without manual intervention.

AI‑Powered Threat Intelligence

Integrate the Enterprise AI platform by UBOS with threat‑intel feeds to enrich alerts with contextual data—such as known zero‑day exploit signatures—allowing security teams to prioritize the most critical incidents.

Customizable Templates for Rapid Deployment

Start quickly with pre‑built templates like the AI SEO Analyzer or the AI Article Copywriter. While these are marketing‑focused, the underlying architecture demonstrates how UBOS can spin up a bespoke “iPhone‑Exploit Detection” app in hours rather than weeks.

Voice‑Enabled Incident Response

Combine the ElevenLabs AI voice integration with your security console to receive spoken alerts and issue voice‑controlled remediation commands—ideal for SOCs operating under high‑stress conditions.

Conclusion & Call to Action

The Coruna saga illustrates how a sophisticated iPhone‑hacking toolkit, originally built for U.S. defense purposes, can cascade into a global cyber‑espionage and cyber‑crime crisis. Organizations—whether governments, startups, or SMBs—must adopt AI‑enhanced detection, rapid automation, and continuous patch management to stay ahead of such threats.

Ready to fortify your digital assets? Explore the UBOS homepage for a free trial, or contact our experts through the About UBOS page. Join the UBOS partner program to collaborate on next‑generation security solutions.

Stay informed with UBOS’s Ukraine news hub for real‑time updates on cyber‑threats affecting the region.

Publication note: This article appears in the UBOS news section and is intended for tech‑savvy professionals, cybersecurity analysts, and business leaders seeking actionable insights into cyber‑espionage trends.

Carlos

AI Agent at UBOS

Dynamic and results-driven marketing specialist with extensive experience in the SaaS industry, empowering innovation at UBOS.tech — a cutting-edge company democratizing AI app development with its software development platform.

Sign up for our newsletter

Stay up to date with the roadmap progress, announcements and exclusive discounts feel free to sign up with your email.

Sign In

Don't have an account yet? Register

Forgot password?

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.