The iPhone hacking toolkit used by Russian spies may have come from US contractors
A hacking campaign targeting iPhone users in Ukraine and China used tools likely designed by US military contractor L3Harris, TechCrunch has learned. The devices, which were intended for Western spies, are in the hands of various hacker groups, including Russian government hackers and Chinese hackers.
Last week, Google revealed that during 2025 it discovered that a sophisticated iPhone-Hacking toolkit was used in a series of global attacks. The toolkit, named “Coruna” by its original developer, is made up of 23 separate components and was first used in “highly targeted operations” by an unnamed government customer and an unnamed “surveillance vendor”. It was then used by Russian government spies against a limited number of Ukrainians and eventually by Chinese hackers in “widespread” campaigns to steal money and cryptocurrency.
Researchers at mobile phone company iVerify, which independently analyzes Coruna, say they believe it may have been manufactured by a company that sold it to the US government.
Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company’s hacking and surveillance technology division, Trenchant. The two former employees both had experience with the company’s iPhone hacking tools. Both spoke on condition of anonymity because they were not authorized to speak about their work at the company.
“Coruna was the internal name of the component,” said one former L3Harris, who was familiar with iPhone hacking tools as part of their work at Trenchant.
“If we look at the technical details,” said the person, referring to other evidence published by Google, “there are many who know.”
contact us
Do you have more information about Coruna, or other government hacking and spyware tools? On a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Phone @lorenzofb, or via email.
The former employee said that the Trenchant toolkit is full of various items, including Coruna and related items. Another former employee confirmed that some of the information included in the published hacking toolkit came from Trenchant.
L3Harris sells Trenchant hacking and surveillance tools exclusively to the US government and its partners in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given the limited number of Trenchant clients, it is possible that Coruna was originally acquired and used by one of these government intelligence agencies before falling into unintended hands, although it is unclear how much of the Coruna hacking toolkit was published by L3Harris Trenchant.
A spokesperson for L3Harris did not respond to a request for comment.
How Coruna went from the hands of the Five Eyes government contractor to a Russian government hacking group, then to a Chinese cybercrime gang is unclear.
But some circumstances seem to be similar to that of Peter Williams, the former general manager of Trenchant. From 2022 until his resignation in mid-2025, Williams sold hacking tools to eight companies in Operation Zero, a Russian company that offered millions of dollars to trade in zero days, meaning unknown risks to the affected trader.
Williams, 39, an Australian citizen, was sentenced to seven years in prison last month, after admitting to stealing and selling eight Trenchant hacking tools to Operation Zero for $1.3 million.
The US government said Williams, who took advantage of “full access” to Trenchant networks, “betrayed” the United States and its allies. Prosecutors accused him of leaking tools that would have allowed anyone using them to “access millions of computers and devices around the world,” suggesting the tools depended on vulnerabilities affecting widely used software such as iOS.
Operation Zero, which was approved by the US government last month, says it only works with the Russian government and domestic companies. The US Treasury Department says the Russian dealer sold “the stolen Williams equipment to at least one unauthorized user.”
That would explain how a group of Russian spies, identified by Google only as UNC6353, found Coruna and used it on vulnerable Ukrainian websites to hack into certain iPhone users in a certain region who unknowingly visited the malicious site.
It is possible that once Operation Zero found the Coruna and possibly sold it to the Russian government, the seller then resold the set of tools to someone else, perhaps another seller, another country, or even directly to hackers. The Ministry of Finance has suspected that a member of the Trickbot ransomware gang is working with Operation Zero, linking the seller with moneyed criminals.
Meanwhile, Coruna may have passed through other hands until it reached Chinese hackers. According to US prosecutors, Williams saw the code he wrote and sold to Operation Zero which was later used by a South Korean trader.
Triangulation functionality
Google researchers wrote on Tuesday that two Coruna exploits and existing vulnerabilities, called Photon and Gallium by their original developers, were used as zero days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users. Operation Triangulation was first revealed by Kaspersky in 2023.
Rocky Cole, founder of iVerify, told TechCrunch that “the best explanation based on what is currently known” points to Trenchant and the US government being the first developers and customers of Coruna. Although, Cole added, he doesn’t want this “for sure.”
He said that assessment depends on three factors. The timeline of Coruna’s use is consistent with Williams’ leak, the design of the three modules – Plasma, Photon, and Gallium – found in Coruna have strong similarities to Triangulation, and Coruna also used some of the same materials used in that operation, he said.
According to Cole, “people close to the defense community” claim that Plasma was used in Operation Triangulation, “although there is no public evidence of that.” (Cole used to work at the US National Security Agency.)
According to Google and iVerify, Coruna was designed to hack iPhone models running iOS 13 to 17.2.1, released between September 2019 and December 2023. Those dates match the timeline of Williams’ other leaks, as well as the discovery of Operation Triangulation.
One of Trenchant’s former employees told TechCrunch that when Triangulation was first revealed in 2023, some employees at the company believed that at least one of the days held by Kaspersky “was from us, and that it may have been” extracted” from the larger project that included Coruna.
Another breadcrumb that points to Trenchant – as noted by security researcher Costin Raiu – is the use of bird names in some 23 tools, such as Cassowary, Terrorbird, Bluebird, Jacurutu, and Sparrow. In 2021, the Washington Post revealed that Azimuth, one of the two startups later acquired by L3Harris and merged with Trenchant, had sold a hacking tool called Condor to the FBI in the famous iPhone hacking case of San Bernardino.
After Kaspersky published its research on Operation Triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, specifically targeting diplomats. A Kaspersky spokesperson said at the time that the company had no information about the FSB’s claims. The spokesman noted that the “indicators of compromise” – meaning evidence of hacking – identified by the Russian National Coordination Center for Computer Incidents (NCCCI) were those identified by Kaspersky.
Boris Larin, a security researcher at Kaspersky, told TechCrunch in an email that “despite our extensive research, we cannot say that Operation Triangulation is related to any known. [Advanced Persistent Threat] group or development company that exploits. ”
Larin explained that Google linked Coruna to Operation Triangulation because they both used the same vulnerability – Photon and Gallium.
“The explanation cannot be based solely on the fact of the exploitation of these vulnerabilities. All the details of both vulnerabilities have long been publicly available,” so anyone could have taken advantage of them, he said, adding that the two shared vulnerabilities “are just the tip of the iceberg.”
Kaspersky has never publicly accused the US government of being behind Operation Triangulation. Ironically, the logo created by the campaign company – an apple logo made up of several triangles – is reminiscent of the L3Harris logo. It may not be a coincidence. Kaspersky has previously said that it will not reveal the hacking campaign publicly while quietly indicating that it does in fact know who was behind it, or who provided its tools.
In 2014, Kaspersky announced that it had captured a complex and mysterious government group known as “Careto” (Spanish for “The Mask”). The company said the hackers only spoke Spanish. But the image of the mask used by the company in its report included the red and yellow colors of the Spanish flag, bull’s horns and nose ring, and castanets.
As TechCrunch revealed last year, Kaspersky researchers privately held that there was “no doubt,” as one of them put it, that Careto was owned by the Spanish government.
On Wednesday, cyber security journalist Patrick Gray said in an episode of his podcast Risky Business that he thought – based on “bits and pieces” he was sure of – that what Williams leaked in Operation Zero was the hacking kit used in the Triangulation campaign.
Apple, Google, Kaspersky, and Operation Zero did not respond to requests for comment.
