Google security research team Project Zero published a report about a collection of hacked websites. Visiting them lead to the installation of an implant that had access to an iPhone's keychain. The implant used 0-day vulnerabilities in iOS 10 to 12 to give the attackers access to credentials or certificates thus compromising the whole device.
Google also provided several details on the vulnerability disclosure. First, the website chains were really used by the attackers, not for demonstration purposes. Secondly, they were used for more than two years. And thirdly, it was later revealed that they were used by the Chinese authorities to establish control over the private lives of Uighurs in the Xinjiang Uighur autonomous region.
Back in February Apple patched the vulnerabilities with updated iOS 12.1.4.