TLDR summary
In March 2026, researchers described Coruna, an iPhone exploit kit used in campaigns that included fraudulent finance and crypto websites. The important change for exchange users is simple: a fake crypto exchange page may be more than a credential-harvesting clone. On older iPhones, it could also be part of a browser-based compromise path aimed at wallet apps, seed phrases and financial data.
Key takeaways
- Google and iVerify tied Coruna to fake finance and crypto websites used against vulnerable iPhones.
- The campaign reportedly affected iOS versions from 13.0 to 17.2.1 until Apple shipped patches and backports in March 2026.
- Researchers said the payload targeted seed phrases, QR codes, financial data and wallet applications such as MetaMask, Phantom and Exodus.
- This was not only a domain-verification problem. Device patch status, browser exposure and wallet hygiene also mattered.
- CryptoGuide is an independent research platform, not an exchange, broker, custodian, investment adviser or legal adviser.
What happened
Google Threat Intelligence Group and iVerify disclosed the Coruna framework on March 3, 2026. Their reporting described a large exploit kit with multiple chains for older iPhones, and one of the campaigns used fraudulent finance and crypto websites as delivery points. Search results and follow-on coverage highlighted fake exchange pages, including clones tied to the WEEX brand, that pushed iPhone users into loading the malicious content.
Apple then shipped related security fixes for older devices on March 11, 2026, including iOS 15.8.7 and iOS 16.7.15. CISA added Coruna-related flaws to its Known Exploited Vulnerabilities catalog on March 5, 2026, which is a strong signal that the issue was not theoretical.
How the attack flow worked
The usual fake-exchange pattern is simple: copy the logo, buy a lookalike domain, steal the login or trick the user into entering a recovery phrase. Coruna added another layer. Researchers described hidden iframe delivery and browser exploitation after the victim loaded the page from a vulnerable iPhone. In plain language, the phishing page and the exploit delivery could sit in the same flow.
| Stage | What the user sees | What likely happens underneath |
|---|---|---|
| 1. Lure | A cloned exchange or finance page that looks familiar. | The page fingerprints the device and checks whether the visitor is on a targetable iPhone. |
| 2. Delivery | No obvious prompt beyond visiting the page. | A hidden iframe or browser chain attempts exploitation on vulnerable iOS versions. |
| 3. Access | The user may notice nothing immediately. | Researchers said the implant could exfiltrate financial data, QR codes and seed-phrase clues. |
| 4. Follow-through | Later wallet or exchange trouble. | Attackers target wallet apps, account credentials or recovery material for theft. |
Why this matters for exchange users
Exchange users often split their risk thinking into two buckets: browser/login risk on one side, wallet risk on the other. Coruna blurred that boundary. If a fake site can reach the device first and the wallet second, then the usual advice to "just check the URL" becomes incomplete.
That matters even if you keep most funds on an exchange. Attackers who get access to email, password managers, 2FA prompts, screenshots or wallet apps can still turn a single bad click into account takeover pressure, phishing follow-up or self-custody theft.
User checklist: what to verify now
| Check | Why it matters | What to do |
|---|---|---|
| iOS version | Older versions were part of the reported attack surface. | Update immediately and do not browse exchange links from unpatched devices. |
| Saved screenshots | Researchers said the malware looked for recovery phrases and financial data. | Delete seed-phrase screenshots and move backups fully offline. |
| Exchange sessions | Follow-on phishing or account takeover can happen after device compromise. | Review login history, active sessions, API keys and withdrawal allowlists. |
| Wallet apps | The campaign reportedly targeted specific wallet software. | Check wallet activity, revoke suspicious approvals and move funds if compromise is plausible. |
| Link habits | Brand familiarity is a weak defense against cloned pages. | Use bookmarks, typed URLs and official app-store or exchange navigation paths. |
Risk notes users should not skip
There are two uncomfortable lessons here. First, an up-to-date device is part of exchange security, not a separate consumer-tech issue. Second, app-store safety alone is not enough when the lure starts in a browser tab or a social link. Crypto users already know to distrust unsolicited wallet prompts. They should apply the same suspicion to "urgent login" exchange messages on mobile.
This also puts more weight on minimizing recovery-phrase exposure. The SparkCat and Rokarolla reporting from 2025 and 2026 points in the same direction: attackers increasingly combine fake pages, malicious mobile flows and seed-phrase hunting instead of relying on one clean phishing prompt.
What to do if you visited a suspicious exchange page on an older iPhone
- Update iOS before doing anything else.
- Change the password for the exchange account you used, then rotate the email account password tied to it.
- Review exchange security settings: 2FA method, active sessions, withdrawal whitelist and API keys.
- Move recovery phrases out of photos, notes and chat drafts if they ever touched the device.
- If a wallet app on that phone held meaningful funds, consider migrating to a clean wallet after reviewing approvals and recent transactions.
- Watch for delayed phishing. Device compromise often leads to better-targeted impersonation later.
CryptoGuide take
The most useful shift after Coruna is mental, not technical: treat fake exchange sites as potential compromise infrastructure, not only as fake login pages. That does not mean every cloned site has an exploit chain behind it. It means the downside of browsing from stale mobile devices is now high enough that patch discipline belongs on the same checklist as 2FA and withdrawal controls.
FAQ
Can a fake crypto exchange site infect an iPhone just by loading the page?
Older iPhones on vulnerable iOS versions faced that risk in the Coruna campaign. Researchers described hidden iframe delivery that could trigger exploitation when the page loaded, which is why software updates mattered as much as phishing awareness.
Was Coruna only a phishing page scam?
No. The fake exchange page was the lure, but researchers said the campaign also used a browser exploit kit and post-exploitation modules aimed at wallet apps, seed phrases and financial data.
What should exchange users do now?
Update iOS, stop using sideloaded or cloned finance apps, rotate passwords if you visited suspicious pages on an old iPhone, review exchange login history and move recovery phrases offline.
Conclusion
Fake crypto exchange pages are still dangerous for the old reasons: cloned branding, stolen passwords and support impersonation. Coruna added a newer reason to care: the page itself may be part of a deeper compromise path on outdated devices. That makes mobile patching, wallet hygiene and cautious exchange login habits part of the same trust model.
Related pages
- Fake crypto exchange warning signs
- Crypto phishing domains: how to spot lookalike URLs
- Fake crypto wallet apps: how to check app store wallets
- How phishing works