FakeWallet iOS Apps in Apple App Store Stole Cryptocurrency Seed Phrases
Researchers identified a FakeWallet campaign that placed at least 26 malicious iOS apps in Apple’s App Store, where they impersonated well-known cryptocurrency wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The apps primarily targeted users in China, taking advantage of the fact that many legitimate crypto wallet apps were unavailable in the local App Store, and used typosquatting, fake branding, and phishing flows to redirect victims to browser-based credential theft pages or trojanized wallet installers. Investigators said the operation had likely been active since at least late 2025, and Apple was notified and removed several of the identified apps.
The malware used multiple techniques to steal wallet secrets from both hot-wallet and cold-wallet companion apps, including malicious dylib injection, executable hooking, provisioning profiles, and React Native code tampering. For hot wallets, the implants scraped mnemonic seed phrases and private keys directly from wallet interfaces; for Ledger-themed variants, the apps displayed convincing in-app prompts and fake verification pages to trick users into entering recovery phrases. Stolen data was RSA PKCS #1-encrypted, Base64-encoded, and sent to attacker-controlled servers, and researchers assessed the activity may be linked to the SparkKitty threat based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution, and overlapping cryptocurrency theft objectives.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Apple is notified and removes several malicious App Store apps
After identifying the malicious applications, researchers reported them to Apple. Several of the FakeWallet apps were subsequently removed from the App Store.
Researchers link FakeWallet activity to SparkKitty malware
During their analysis of the campaign, researchers found overlap with SparkKitty modules and assessed that the threat actor may be linked to SparkKitty based on shared targeting, Chinese-language artifacts, and similar fake App Store-style distribution methods. They also observed related Android samples distributed through phishing sites.
Researchers uncover 26 FakeWallet phishing apps in Apple's App Store
In March 2026, researchers identified a large iOS-focused FakeWallet campaign involving more than twenty phishing apps, including 26 apps impersonating wallets such as MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The apps redirected users to phishing pages or trojanized wallet installers designed to steal seed phrases and private keys.
FakeWallet campaign begins operating by fall 2025
Researchers assessed that the FakeWallet cryptocurrency-stealing campaign had been active since at least fall 2025. The operation used fake wallet branding and App Store-style distribution to target cryptocurrency users, primarily in China.
ESET traces trojanized wallet theft campaign back to May 2021
ESET reported a cryptocurrency-stealing campaign targeting Android and iPhone users via trojanized wallet apps and fake wallet websites, primarily aimed at Chinese users. The company said the activity dated back to at least May 2021 and involved impersonation of major wallet brands, malicious code inserted into otherwise functional apps, and broad distribution through fake sites, social media, and messaging channels.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases
thehackernews.com
Open sourceCrypto stealing wallet apps proliferate in Apple App Store | brief | SC Media
scworld.com
Open sourceChina's Apple App Store infiltrated by crypto-stealing wallet apps
bleepingcomputer.com
Open sourceESET Research discovers scheme to steal cryptocurrency from Android and iPhone users | | ESET
eset.com
Open sourceFakeWallet crypto stealer spreading in the App Store | Securelist
securelist.com
Open sourceFakeWallet crypto stealer spreading in the App Store | Securelist
securelist.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake Ledger Live App on Apple App Store Stole $9.5M in Cryptocurrency
A malicious macOS app impersonating **Ledger Live** was distributed through Apple’s App Store and linked to the theft of more than **$9.5 million** in cryptocurrency from over **50 victims**. Investigators said the app used Ledger branding, fake credibility signals, and prompts for users’ seed or recovery phrases, allowing attackers to seize control of wallets and drain assets across multiple networks, including **Bitcoin, Ethereum, Solana, Tron, and XRP**. The fraudulent listing was reportedly published under **Leva Heal Limited** rather than Ledger and showed a suspicious version history that jumped rapidly from `1.0` to `5.0` within roughly two weeks. Blockchain investigator **ZachXBT** traced the stolen funds from intermediary wallets into more than **150 KuCoin deposit addresses**, after which they were laundered through a centralized mixing service known as **AudiA6**. Apple removed the app after user reports, and KuCoin said it froze the implicated accounts pending possible law enforcement action. The thefts, reported over a span of days in April, have intensified scrutiny of Apple’s app review process and underscored the continuing risk of fake wallet and financial apps appearing in trusted software marketplaces.
Apr 17, 2026
SparkCat Mobile Malware in App Stores Steals Crypto Wallet Seed Phrase Images
A new **SparkCat** malware variant was discovered in apps distributed through both the **Apple App Store** and **Google Play Store**, showing the mobile threat remains active and under development. Researchers found the malware embedded in seemingly legitimate applications, including enterprise messaging and food delivery apps, where it covertly scans users’ photo galleries for cryptocurrency wallet recovery phrases using **OCR** and sends matching images to attacker-controlled servers. Kaspersky identified two infected iOS apps and one infected Android app, with the campaign primarily targeting cryptocurrency users in Asia. The iOS variant searches for English mnemonic phrases, while the Android version looks for Japanese, Korean, and Chinese keywords and adds stronger obfuscation such as code virtualization and cross-platform languages. Researchers assess the operation is likely tied to the same Chinese-speaking threat actor previously linked to SparkCat.
Apr 27, 2026
notnullOSX Mac Stealer Targets High-Value Crypto Wallet Holders
Researchers reported a new Go-based macOS stealer and backdoor, **notnullOSX**, being used in highly targeted campaigns against users believed to hold more than **$10,000 in cryptocurrency**. The malware has been linked to the developer previously known as **0xFFF**, later **alh1mik**, and was first detected in Vietnam, Taiwan, and Spain. Operators are distributing it through social-engineering lures including fake protected Google Docs, **ClickFix** terminal-prompt tricks, malicious DMG files, and counterfeit WallSpace wallpaper sites promoted through a likely hijacked YouTube channel. Once victims are persuaded to grant **Full Disk Access**, notnullOSX can steal browser credentials, Safari cookies, iMessage data, Apple Notes, Telegram sessions, crypto wallet files, and developer secrets. Researchers said the malware uses a modular architecture, downloads components from `cdn.filestackcontent.com`, and maintains persistent command-and-control through **Firebase Realtime Database** using SSE, HTTP POST, heartbeat traffic, and WebSocket-style connectivity. One module, **ReplaceApp**, appears designed to swap legitimate wallet tools such as **Ledger Live** or **Trezor** with trojanized versions to capture seed phrases, giving the operation capabilities closer to a remote access trojan than a conventional smash-and-grab stealer.
Apr 23, 2026