Hustler Words – A highly advanced iPhone hacking toolkit, dubbed "Coruna," that has been deployed in widespread cyberattacks against users in Ukraine and China, is now strongly suspected to have originated from a prominent U.S. military contractor, L3Harris. This revelation, brought to light by investigations from hustlerwords.com, suggests that tools designed for Western intelligence operations have tragically found their way into the arsenals of Russian government-backed espionage units and financially motivated Chinese cybercriminals.
Google’s security researchers recently detailed the discovery of this multifaceted toolkit, comprising 23 distinct components. Initially code-named "Coruna" by its creators, it was first observed in "highly targeted operations" by an undisclosed government client of an unnamed "surveillance vendor." Its trajectory then shifted dramatically, first being wielded by Russian state-sponsored actors against a select group of Ukrainian targets, before being adopted by Chinese cybercriminal organizations for "broad-scale" campaigns aimed at illicit financial gains and cryptocurrency theft.
Independent analysis by mobile cybersecurity firm iVerify lends credence to this theory, with their researchers suggesting the toolkit’s genesis lies with a company supplying the U.S. government. Further corroboration comes from two former employees of L3Harris’s specialized hacking and surveillance technology division, Trenchant, who confirmed to hustlerwords.com that Coruna, or at least significant parts of it, was indeed a product of their development efforts. These individuals, speaking anonymously due to the sensitive nature of their past work, recognized familiar technical details published by Google. One explicitly stated, "Coruna was definitely an internal name of a component," while another noted the strong familiarity of the evidence.
Related Post
Trenchant’s operational model dictates that its advanced hacking and surveillance capabilities are exclusively marketed to the U.S. government and its Five Eyes intelligence partners (Australia, Canada, New Zealand, and the United Kingdom). This raises critical questions about how such sensitive technology could have escaped its intended secure channels and fallen into hostile hands. While the full extent of L3Harris Trenchant’s contribution to the publicly revealed Coruna toolkit remains ambiguous, the circumstances bear striking resemblances to a high-profile security breach involving a former Trenchant executive.
Peter Williams, a former general manager at Trenchant, was recently sentenced to seven years in prison for stealing and selling eight proprietary hacking tools to Operation Zero, a Russian firm known for acquiring zero-day exploits. Williams, an Australian citizen, profited $1.3 million from these illicit sales between 2022 and mid-2025, leveraging his "full access" to Trenchant’s networks. U.S. prosecutors condemned his actions as a "betrayal," warning that the leaked tools could "potentially access millions of computers and devices around the world," implying vulnerabilities in widely used software like iOS.
Sanctioned by the U.S. government, Operation Zero reportedly works closely with the Russian government. The U.S. Treasury alleged that Operation Zero subsequently sold Williams’ "stolen tools to at least one unauthorized user." This provides a plausible explanation for how UNC6353, the Russian espionage group identified by Google, might have acquired Coruna. The toolkit was then reportedly deployed via compromised Ukrainian websites to target specific iPhone users based on their geolocation. The potential for further resale by Operation Zero, perhaps to other brokers, nations, or even directly to cybercriminals, is also being considered, especially given the Treasury’s claims linking the broker to financially motivated groups like the Trickbot ransomware gang. Williams himself reportedly recognized his code being used by a South Korean broker after his sales to Operation Zero, indicating a broader dissemination.
Further complicating the narrative, Google researchers have identified that two key Coruna exploits, internally named Photon and Gallium, were also utilized as zero-days in "Operation Triangulation." This sophisticated hacking campaign, which allegedly targeted Russian iPhone users, was first brought to public attention by cybersecurity firm Kaspersky in 2023.
Rocky Cole, co-founder of iVerify and a former NSA employee, stated to hustlerwords.com that current evidence strongly suggests Trenchant and the U.S. government as the original creators and primary users of Coruna, though he refrains from definitive claims. His assessment is based on three crucial factors: the timeline of Coruna’s deployment aligns with Williams’ leaks, the structural similarities between Coruna’s modules (Plasma, Photon, and Gallium) and those found in Triangulation, and the re-use of specific exploits. Cole also noted that "people close to the defense community" link Plasma to Operation Triangulation, despite a lack of public evidence. The toolkit’s compatibility with iOS versions 13 through 17.2.1 (September 2019 to December 2023) further corroborates the timeline of Williams’ illicit activities and the discovery of Operation Triangulation. Intriguingly, one former Trenchant employee revealed that when Triangulation surfaced in 2023, colleagues suspected at least one of the zero-days caught by Kaspersky originated from their overarching project that included Coruna. Another telling "breadcrumb," as noted by security researcher Costin Raiu, is the use of bird names for some of Coruna’s 23 components (e.g., Cassowary, Terrorbird), echoing a previous revelation in 2021 by The Washington Post that Azimuth, a precursor to Trenchant, sold a tool named "Condor" to the FBI.
Following Kaspersky’s initial research on Operation Triangulation, Russia’s Federal Security Service (FSB) publicly accused the NSA of compromising "thousands" of iPhones within Russia, specifically targeting diplomats. While Kaspersky itself did not confirm the FSB’s claims, a spokesperson did acknowledge that the "indicators of compromise" identified by Russian authorities mirrored those discovered by Kaspersky. Boris Larin, a Kaspersky security researcher, clarified to hustlerwords.com that while Google linked Coruna to Triangulation due to shared vulnerabilities (Photon and Gallium), attribution cannot be based solely on this, as these exploit details are now public. He emphasized that these shared vulnerabilities represent "just the tip of the iceberg." Kaspersky has historically employed subtle methods of attribution. For instance, their logo for Operation Triangulation—an Apple logo composed of triangles—bears a striking resemblance to the L3Harris logo, a detail that may not be coincidental. This mirrors their past practice with "Careto" (The Mask) in 2014, where they hinted at Spanish government involvement through subtle imagery, later privately confirming their suspicions.
Adding to the growing consensus, cybersecurity journalist Patrick Gray recently asserted on his "Risky Business" podcast that, based on his intelligence, he is confident the hacking kit leaked by Peter Williams to Operation Zero is indeed the same one deployed in the Triangulation campaign. The implications of a U.S. military contractor’s sophisticated cyber weaponry ending up in the hands of adversaries, then used in global attacks, underscore a profound and concerning breach in national security and cybersecurity protocols.
Leave a Comment