A mass hacking campaign targeting iPhone users in Ukraine and China used tools that were likely designed by U.S. military contractor L3Harris, TechCrunch has learned. The tools, which were intended for Western spies, wound up in the hands of various hacking groups, including Russian government spooks and Chinese cybercriminals.
Last week, Google revealed that over the course of 2025 it discovered that a sophisticated iPhone-hacking toolkit had been used in a series of global attacks. The toolkit, dubbed “Coruna” by its original developer, was made of 23 different components first used “in highly targeted operations” by an unnamed government customer of an unspecified “surveillance vendor.” It was then used by Russian government spies against a limited number of Ukrainians and finally by Chinese cybercriminals “in broad-scale” campaigns with the goal of stealing money and cryptocurrency.
Researchers at mobile cybersecurity company iVerify, which independently analyzed Coruna, said they believed it may have been originally built by a company that sold it to the U.S. government.
Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company’s hacking and surveillance tech division, Trenchant. The two former employees both had knowledge of the company’s iPhone hacking tools. Both spoke on condition of anonymity because they weren’t authorized to talk about their work for the company.
“Coruna was definitely an internal name of a component,” said one former L3Harris employee, who was familiar with iPhone hacking tools as part of their work at Trenchant.
“Looking at the technical details,” this person said, referring to some of the evidence Google published, “so many are familiar.”
Contact Us Do you have more information about Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or . Do you have more information about Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email
The former employee said the overarching Trenchant toolkit housed several different components, including Coruna and related exploits. Another former employee confirmed that some of the details included in the published hacking toolkit came from Trenchant.
L3Harris sells Trenchant’s hacking and surveillance tools exclusively to the U.S. government and its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, and the United Kingdom. Given Trenchant’s limited number of customers, it’s possible that Coruna was originally acquired and used by one of these governments’ intelligence agencies before falling into unintended hands, though it’s unclear how much of the published Coruna hacking toolkit were developed by L3Harris Trenchant.
An L3Harris spokesperson did not respond to a request for comment.
... continue reading