The prevailing belief among security specialists for iPhones has been that uncovering vulnerabilities and crafting exploits for iOS is a challenging endeavor, necessitating substantial time, resources, and skilled teams of researchers to penetrate its security layers. Consequently, iPhone spyware and zero-day vulnerabilities, which remain unknown to the software vendor until they are exploited, were uncommon and typically employed in restricted and targeted attacks, as stated by Apple.

However, in the past month, cybersecurity analysts at Google, iVerify, and Lookout have identified several extensive hacking initiatives utilizing tools known as Coruna and DarkSword, which have been indiscriminately targeting victims globally who are not operating Apple’s latest software. Some of the individuals behind these breaches include Russian intelligence agents and Chinese hackers, who target their victims through compromised websites or counterfeit pages, potentially enabling them to extract information from numerous victims.

Currently, some of these tools have surfaced online, allowing anyone to utilize the code and easily execute their own attacks against Apple users on older iOS versions.

Apple has dedicated extensive resources to new security and development technologies, such as implementing memory-safe code in its latest iPhone models and introducing features like Lockdown Mode specifically designed to combat potential spyware threats. The aim has been to enhance the security of modern iPhones and bolster the assertion that the iPhone is exceptionally difficult to compromise.

Nevertheless, many older iPhones that remain in use are now more accessible targets for spyware-wielding spies and cybercriminals.

Currently, there exist essentially two categories of iPhone users.

Users operating the latest iOS 26 on the newest iPhone 17 models unveiled in 2025 benefit from a new security feature termed Memory Integrity Enforcement, designed to prevent memory corruption vulnerabilities, among the most frequently exploited weaknesses in spyware and phone unlocking operations. DarkSword significantly relied on these memory corruption vulnerabilities, as indicated by Google.

In contrast, there are iPhone users who continue to operate the preceding version of Apple’s mobile operating system, iOS 18, or even earlier iterations, which have previously been susceptible to memory-based hacks and other exploits.

The emergence of Coruna and DarkSword suggests that memory-based assaults may persist in troubling users of older iPhones and iPads that are lagging behind the newer, more memory-secure models.

Experts from iVerify and Lookout, two cybersecurity firms with a commercial interest in selling mobile security solutions, assert that Coruna and DarkSword may also challenge the long-standing belief that iPhone hacks are infrequent.

iVerify’s co-founder Matthias Frielingsdorf mentioned to TechCrunch that mobile assaults are now “widespread,” though he also indicated that attacks leveraging zero-days against the latest software versions “will always be charged at a premium rate,” suggesting that these are not intended for large-scale hacks.

Patrick Wardle, a security expert at Apple, pointed out that one issue is the tendency for individuals to label attacks on iPhones as rare or sophisticated simply because they are infrequently documented. The reality, he stated, is that these attacks may exist but are not always detected.

“Characterizing them as ‘highly advanced’ is akin to calling tanks or missiles advanced,” Wardle expressed to TechCrunch. “It’s accurate, but it overlooks the essential point. That’s merely the standard capability at that level, and all (most) nations possess them (or can acquire them for the appropriate cost).”

Another issue brought to light by Coruna and DarkSword is the apparent growth of a “second-hand” market, creating a financial incentive “for exploit developers and individual brokers to essentially receive compensation twice for the same exploit,” according to Justin Albrecht, principal researcher at Lookout.

Particularly when the initial exploit is patched, it becomes logical for brokers to resell it prior to universal updates.

“This is not a one-off occurrence, but rather an indication of future trends,” Albrecht remarked to TechCrunch.