iPhone Spyware Attacks Are Spreading — Is Your Phone Safe?
Leaked iPhone hacking tools are now in the hands of anyone who wants them — and millions of users running older iOS versions are directly in the crosshairs. Two powerful spyware toolkits, known as Coruna and DarkSword, have been actively used in large-scale attacks worldwide. Here's what you need to know and what you should do today.
 |
| Credit: Jakub Porzycki/NurPhoto / Getty Images |
The Myth That iPhones Are Hard to Hack Is Crumbling
For years, the security community operated under a comfortable assumption: hacking an iPhone was extraordinarily difficult. Doing so required significant funding, skilled teams, and months of painstaking research. That assumption made spyware attacks on iPhones feel like a distant, elite-level threat — something reserved for journalists or politicians, not everyday users. That comfort is now fading fast.
Cybersecurity researchers have recently documented multiple broad-scale hacking campaigns using Coruna and DarkSword, tools capable of compromising iPhones running outdated software. These attacks have been linked to Russian intelligence operatives and Chinese cybercriminals. Victims are being targeted through hacked websites and convincing fake pages, allowing attackers to silently steal sensitive phone data at scale.
Leaked Hacking Tools Have Changed Everything
What was already a serious threat has now become significantly more dangerous. Both Coruna and DarkSword have leaked online, meaning any technically capable bad actor can download the code and launch their own attacks — no nation-state backing required. This is not a contained incident. Security experts are describing it as a turning point in mobile cybersecurity.
The leak creates a ripple effect far beyond the original campaigns. When powerful exploit kits become publicly available, the attack surface expands dramatically. Cybercriminals who previously lacked the resources to build such tools can now simply repurpose what was once a sophisticated weapon.
Two Classes of iPhone Users Now Exist
Apple has made meaningful progress with iOS 26, particularly through a feature called Memory Integrity Enforcement, introduced on the latest iPhone 17 models. This technology is specifically designed to block memory corruption bugs — the exact class of vulnerability that DarkSword relied on heavily, according to researchers at Google. For users running this combination of new hardware and software, the security bar is genuinely higher.
But a vast number of iPhone users are not in that group. Millions of people still run iOS 18 or older versions, leaving them exposed to the memory-based exploits that tools like DarkSword were built to weaponize. The security gap between updated and outdated iPhones has never been more consequential.
A Thriving "Second-Hand" Exploit Market Is Fueling the Problem
Beyond the immediate attacks, researchers have identified a growing secondary economy around exploit tools. Once a vulnerability is patched by Apple, brokers are increasingly motivated to resell the same exploit to new buyers before widespread software updates take hold. This creates a financial incentive for attackers to extract maximum value from each discovered flaw.
This recycling of old exploits is not a glitch in the system — it is becoming the system. Security researchers warn this is a sign of a maturing underground market, not a temporary blip. The economics of exploit brokering now work against regular users who delay software updates, even by just a few weeks.
What You Should Do Right Now
The clearest action any iPhone user can take is immediate: update to the latest version of iOS. Apple's Memory Integrity Enforcement and other security hardening measures in iOS 26 represent the most meaningful protections currently available. Staying on older software is no longer a minor inconvenience — it is a measurable security risk.
Experts also caution against dismissing iPhone-targeted attacks as rare or overly sophisticated. The reality, security professionals now say, is that many attacks simply go undocumented. The threat landscape has shifted, and the tools to exploit it are now widely available. Treating your phone's software updates as critical security patches — not optional feature upgrades — has never been more important.
