Cybersecurity Uncovers 13 Malicious Wallets that Could Steal Your Crypto

A criminal plot to steal users’ digital assets via apps impersonating popular cryptocurrency wallets has been uncovered in new research by global cybersecurity firm ESET.

ESET believes it’s likely that a single criminal group is behind the coordinated scheme to steal users’ crypto funds – via more than 40 copycat websites of popular crypto wallets used to promote downloads of malicious apps.

While the malicious apps were not available on Apple’s App Store (instead requiring download and installation using a configuration profile), 13 apps impersonating the Jaxx Liberty wallet were found on the Google Play store and have subsequently been removed by Google.

Counterfeit Wallets Target Chinese Users

Primarily targeting Chinese users, across both Android and iOS devices, the malicious apps closely mimicked the appearance and functionality of legitimate wallets including MetaMask, Coinbase and Trust Wallet.  

ESET researcher Lukáš Štefanko said the malicious code used in the Trojan wallets enables users’ funds to be stolen and opened users to other risks:

These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network.

Lukáš Štefanko, ESET researcher

Beware Before You Download

ESET found the Trojan apps and fake websites were sophisticated, and also promoted using ads on legitimate sites and via groups on Telegram and Facebook.

The firm said the source code of the threat it uncovered has now been leaked online, which could encourage and enable other criminals to spread the threat even further. 

In light of the findings, Keystone Wallet tweeted a warning to its users to be wary of what they download:

Fake wallet scams are a key risk for crypto investors. Last year it was revealed that over US$500,000 had been lost due to Google Ads directing users to fake wallets, while Apple was served a US$5 million lawsuit over a phishing app disguised as a wallet that was available in the tech giant’s App Store.