What Coruna Actually Does

A leaked U.S. government hacking toolkit called Coruna is now circulating among cybercriminals. It chains together 23 vulnerabilities across five separate exploit paths to compromise iPhones running iOS 13 through 17.2.1 — simply by visiting a malicious webpage. Google's Threat Intelligence Group and mobile security firm iVerify both published detailed analyses in early March 2026, and the story raises an urgent question: if your iPhone can be hacked this easily, what happens to your messages?

The answer depends entirely on how your messaging app is built.

Coruna isn't a single vulnerability — it's a professionally engineered platform originally built by L3Harris's Trenchant division for U.S. and Five Eyes intelligence use. It leaked through an insider who sold exploits to a sanctioned Russian broker, and from there it spread to Russian espionage groups targeting Ukraine and financially motivated Chinese cybercriminals running fake cryptocurrency exchanges.

The toolkit works through "watering hole" attacks: you visit a compromised website, hidden JavaScript fingerprints your device, and Coruna silently chains exploits to escalate from a WebKit flaw all the way to kernel-level access. Once it has that access, it can extract data stored on the device — credentials, tokens, keys, wallet recovery phrases — without you ever knowing.

CISA added three of the exploited CVEs to its Known Exploited Vulnerabilities catalog on March 5, 2026. If you haven't updated to iOS 18 or later, you should do that now. But updating your OS is only half the equation.

The Problem With Most Messaging Apps

In most messaging platforms, device compromise equals message compromise. Here's why: authentication credentials and encryption keys often live in the same place — your device's memory. If an attacker gains kernel-level access (which is exactly what Coruna provides), they can typically:

The encryption is technically there, but it all collapses the moment someone gains access to the device internals. One breach, one set of keys, and the entire conversation history is exposed.

This is the architectural weakness that toolkits like Coruna are designed to exploit.

How Evercrypted's Architecture Changes the Equation

Evercrypted separates what most apps combine. Instead of a single layer of keys that both authenticates your account and decrypts your messages, Evercrypted uses two independent security barriers:

Authentication keys handle identity and account sync. They prove you are who you say you are.

Message passwords handle decryption. They unlock the actual content of your conversations.

These two layers are cryptographically independent. Compromising one does not compromise the other.

Here's how it works: when you set a message password, Evercrypted uses it to temporarily modify the E2E encryption keys themselves. The messages aren't encrypted twice — instead, the encryption keys are transformed so that they only work when the correct password is applied. The raw E2E keys stored on your device are not the keys that were actually used to encrypt your messages. Without the password, those stored keys are useless.

This is a critical distinction. In most E2E messaging apps, if you steal the encryption keys from the device, you can decrypt everything. In Evercrypted, the keys on the device are incomplete — the password is the missing piece that makes them functional.

So what happens when an attacker uses Coruna against an Evercrypted user?

1. The attacker gains kernel-level access to the iPhone.

1. They extract authentication tokens and E2E encryption keys from device memory.

1. They use those credentials to pull encrypted messages from the server.

1. They try to decrypt using the stolen E2E keys — and fail.

The keys they extracted are not the keys that encrypted the messages. Without the password to reconstruct the actual encryption keys, all the attacker has is ciphertext. Not conversations. Not secrets. Just noise. They've breached the device, stolen every key stored on it, and they're still locked out.

Why This Matters More Than "Just Update Your Phone"

Yes, everyone should keep their devices updated. Coruna only affects iOS 17.2.1 and older, and Apple has patched the vulnerabilities. But the lesson here isn't about one toolkit — it's about a pattern.

Government-grade exploit tools leak. They always do. The NSA's EternalBlue leaked in 2017 and powered WannaCry and NotPetya. Now Coruna has followed the same path from classified capability to criminal commodity. There will be another one after this.

Relying solely on device security means trusting that no future exploit will ever breach your phone. That's not a realistic assumption. A messaging app's architecture needs to assume the device will be compromised and still protect your messages.

This is what defense in depth means in practice. Evercrypted layers multiple independent protections:

Each layer addresses a different attack vector. Coruna might breach one. It cannot breach all of them simultaneously.

The Bottom Line

Coruna is a reminder that the most sophisticated hacking tools don't stay in government hands forever. When they leak — and they do — they end up being used against ordinary people.

Device security is important. Keep your phone updated. But your messaging app needs to be designed for the scenario where device security fails.

Evercrypted is built for exactly that scenario. Even if an attacker extracts every authentication key from your compromised iPhone, your messages remain encrypted, unreadable, and private.

Because the password that unlocks them was never on the device in the first place.