Masquerading as popular cryptocurrency wallets, the apps can hijack recovery phrases and private keys.

Over two dozen fake cryptocurrency applications targeting iOS users have been published to the Apple App Store, Kaspersky reports.

A large-scale cryptocurrency phishing campaign, dubbed FakeWallet, has been uncovered, targeting users through malicious applications designed to steal recovery phrases and private keys. The campaign has reportedly been active since late 2025 and gained significant traction after the apps began appearing frequently in search results on Apple’s Chinese App Store earlier this year.

The attack exploits regional restrictions that limit access to official cryptocurrency wallet applications in China. Threat actors have taken advantage of this gap by creating convincing replicas of popular wallet apps, using typosquatting techniques to mimic trusted brands such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. These fake applications often replicate official logos and interfaces, making it difficult for users to distinguish them from legitimate software.

In some cases, the malicious apps did not directly use cryptocurrency branding but instead displayed banners prompting users to download them to access “official” wallets unavailable on the App Store. This approach allowed attackers to bypass initial suspicion while still directing users toward compromised environments.

The phishing functionality within these apps is particularly sophisticated. Once installed, the applications redirect users to external browser links that host infected versions of cryptocurrency wallets. The malicious code, delivered either through embedded libraries or directly injected into the app’s source code, is designed to capture sensitive wallet information, including recovery and seed phrases.

Further analysis revealed that the apps could intercept wallet restoration processes, enabling attackers to hijack access to users’ funds. The campaign also extends beyond software wallets, with specific implants targeting hardware wallets such as Ledger, indicating a broader and more advanced attack surface.

In addition to the mobile applications, a fraudulent website mimicking the official Ledger platform was discovered hosting download links for the malicious apps. Compromised Android wallet applications were also distributed through Chinese-language phishing pages, expanding the campaign’s reach beyond Apple’s ecosystem.

Although the campaign appears to primarily target Chinese-speaking users, its infrastructure suggests a global threat potential. The malicious modules lack regional restrictions and have demonstrated the ability to adapt phishing content based on the user’s device language, raising concerns about international exposure.

The FakeWallet campaign has also been linked to previously identified malware known as SparkKitty, based on similarities in distribution methods, code structure, and embedded modules. This connection indicates an evolving threat actor with a continued focus on cryptocurrency-related attacks.

Apple has been notified of the malicious activity and has begun removing the identified applications from the App Store. However, the scale and adaptability of the campaign highlight ongoing risks for users, particularly in regions where access to official applications is limited.

As cryptocurrency adoption continues to grow, this incident underscores the increasing sophistication of phishing attacks targeting digital assets, reinforcing the need for stronger app store scrutiny and heightened user awareness.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading