Fake “Pudgy World�...

Fake “Pudgy World” Site Lures Gamers Into Handing Over Crypto Wallet Passwords

By José Oramas March 23, 2026 In Crypto Wallets, Gaming, Pudgy Penguins

Ransomware concept. Abstract digital background with anonymous man of hacker in binary code and wording DATA BREACH with warning sign. Hack and science fiction. Matrix background with cybersecurity — Source:AdobeStock

Malwarebytes researchers discovered a phishing site impersonating Pudgy Penguins’ new Pudgy World game, deploying 11 wallet-specific unlock screen forgeries covering Ethereum, Solana, and multi-chain wallets.
The fake site at pudgypengu-gamegifts[.]live tricks hardware wallet users into typing seed phrases through a “manual option” fallback when the spoofed connection flow fails.
Pudgy Penguins has now been targeted by phishing campaigns twice since December 2024, as FBI data shows phishing complaints exceeded 193,000 in 2024 with losses topping US$70 million.

A phishing campaign targeting players of Pudgy Penguins’ Pudgy World game has been identified days after the title’s launch on March 10, using a fake website to steal cryptocurrency wallet credentials.

Cybersecurity firm Malwarebytes said the site mimics legitimate wallet connection flows used for in-game items and digital collectibles.

Hosted at pudgypengu-gamegifts[.]live, the page includes 11 tailored wallet interfaces designed to imitate different providers, indicating a coordinated and resource-intensive setup.

The practical consequence of all this is that automated scanning tools are likely to rate the initial page as benign, because on their infrastructure, it behaves like one. The malicious functionality never loads unless the attacker’s server decides the visitor is worth targeting.

Stefan Dasic, Malwarebytes Labs.

No public response has been issued by Pudgy Penguins or Igloo Inc.

Hardware Wallet Trap

The attack focuses on extracting seed phrases, particularly from hardware wallet users. When the spoofed connection process fails, users are redirected to a manual input option that requests recovery credentials, which are then captured by the attackers.

The site also includes evasion mechanisms to avoid detection. It checks for virtual machines, automated analysis tools, and other research environments.

If such conditions are detected, the malicious components do not load, limiting exposure to security investigators.

This is not the first phishing campaign linked to Pudgy Penguins, though. In December 2024, a separate operation used malicious Google Ads and embedded scripts to identify crypto wallets before redirecting users to fraudulent pages.

The Pudgy Penguins NFT collection, managed by Igloo Inc, has declined significantly in value. Its floor price has fallen 88.3% from 36.33 ETH in December 2024 to 4.10 ETH, or about US$8.5K (AU$12K).

Phishing remains a persistent risk across crypto platforms (and basically everywhere on the internet). FBI data for 2024 recorded 193,407 phishing and spoofing incidents, with reported losses exceeding US$70 million (AU$107 million).