Blab Crypto
FakeWallet Phishing Campaign Uses iOS Apps to Steal Wallet Recovery Phrases
In March 2026, security researchers uncovered a sophisticated phishing operation that leveraged the Apple App Store to distribute more than 20 counterfeit wallet applications. Each app, designed to look like a well‑known cryptocurrency wallet, redirects users to counterfeit, App‑Store‑style web pages that host trojanized versions of the legitimate wallets. Once installed, the trojan captures the wallet’s recovery phrase and private key and forwards the data to an attacker‑controlled server.
The campaign, dubbed “FakeWallet,” has been active since at least the fall of 2025, according to a SecureList report. Its infrastructure centers on a handful of network indicators of compromise (IoCs) that include 12 subdomains, 15 domains, and a single IP address. SecureList’s analysis shows that a client IP communicated with three of the domain IoCs via seven DNS queries between March 28 and April 1 2026. The same IP also interacted with the sole IP IoC between December 4 2025 and April 13 2026.
Subdomain analysis revealed that five of the 12 subdomains were flagged for malware distribution in late April 2026. For example, 6688cf.jhxrpbgq.com and mgi1y.siyangoil.com were reported as malware hosts during April 21‑26 2026. The subdomain api.npoint.io, while a legitimate service, was noted as a potential abuse vector. One subdomain, api.dc1637.xyz, was classified as suspicious due to a lack of DNS data. A legitimate domain, mti4ywy4.lahuafa.com, was also flagged for malware distribution in the same period.
The five parent domains of the nine subdomains were updated on April 20 2026, the day before the first detection of FakeWallet, suggesting pre‑campaign staging. Domain‑level investigation found that one domain, crypto‑store.cc, was bulk‑registered with two look‑alikes—crypto‑store.top and crypto‑store.cn—on September 9 2025. Two domains, gxzhrc.cn and jhxrpbgq.com, were listed in the First Watch Malicious Domains feed 539 and 47 days before they were identified as IoCs.
WHOIS data shows the 15 domains were created between November 2017 and March 2026 and are managed by eight registrars. Four countries appear in the registrant records, and 14 of the domains have a registrant country listed. Historical DNS data from DNS Chronicle indicates that 12 of the domains have resolved to 258 unique IP addresses over time, with the earliest resolution on November 15 2019.
The sole IP IoC, located in Singapore under the ownership of The Constant Company, has 114 historical IP‑to‑domain resolutions recorded between October 8 2019 and March 22 2026. Nine distinct victim IP addresses from five ASNs communicated with this IP during the campaign window.
SecureList also examined email‑connected domains derived from the historical WHOIS records of the 15 domains. The analysis uncovered 10,812 unique email‑connected domains, of which 11 were confirmed malicious by threat‑intelligence feeds. Five of these malicious domains—bitpiecn.com.cn, ld018.com, meta‑mask.org.cn, one‑key.org.cn, and t0kenpocket.cn—were linked to malware distribution between March 9 2023 and April 27 2026.
Additionally, 18 new IP addresses were identified after filtering out the sole IP IoC. Threat‑intelligence queries revealed that eight of these IPs had been involved in prior attacks.
The FakeWallet campaign demonstrates how attackers can exploit the iOS ecosystem by masquerading as legitimate wallet apps and leveraging social engineering to trick users into installing trojanized software. The malware’s ability to harvest recovery phrases and private keys poses a direct threat to users of popular wallets such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet.
Security teams are advised to verify the authenticity of wallet apps before installation and to monitor for the identified subdomains, domains, and IP addresses. Apple has removed the identified FakeWallet apps from the App Store, and the company has urged users to update their wallets to the latest official releases.
The investigation remains ongoing, with researchers continuing to monitor the identified IoCs for new activity. No regulatory actions or court proceedings have been reported at this time.
The campaign, dubbed “FakeWallet,” has been active since at least the fall of 2025, according to a SecureList report. Its infrastructure centers on a handful of network indicators of compromise (IoCs) that include 12 subdomains, 15 domains, and a single IP address. SecureList’s analysis shows that a client IP communicated with three of the domain IoCs via seven DNS queries between March 28 and April 1 2026. The same IP also interacted with the sole IP IoC between December 4 2025 and April 13 2026.
Subdomain analysis revealed that five of the 12 subdomains were flagged for malware distribution in late April 2026. For example, 6688cf.jhxrpbgq.com and mgi1y.siyangoil.com were reported as malware hosts during April 21‑26 2026. The subdomain api.npoint.io, while a legitimate service, was noted as a potential abuse vector. One subdomain, api.dc1637.xyz, was classified as suspicious due to a lack of DNS data. A legitimate domain, mti4ywy4.lahuafa.com, was also flagged for malware distribution in the same period.
The five parent domains of the nine subdomains were updated on April 20 2026, the day before the first detection of FakeWallet, suggesting pre‑campaign staging. Domain‑level investigation found that one domain, crypto‑store.cc, was bulk‑registered with two look‑alikes—crypto‑store.top and crypto‑store.cn—on September 9 2025. Two domains, gxzhrc.cn and jhxrpbgq.com, were listed in the First Watch Malicious Domains feed 539 and 47 days before they were identified as IoCs.
WHOIS data shows the 15 domains were created between November 2017 and March 2026 and are managed by eight registrars. Four countries appear in the registrant records, and 14 of the domains have a registrant country listed. Historical DNS data from DNS Chronicle indicates that 12 of the domains have resolved to 258 unique IP addresses over time, with the earliest resolution on November 15 2019.
The sole IP IoC, located in Singapore under the ownership of The Constant Company, has 114 historical IP‑to‑domain resolutions recorded between October 8 2019 and March 22 2026. Nine distinct victim IP addresses from five ASNs communicated with this IP during the campaign window.
SecureList also examined email‑connected domains derived from the historical WHOIS records of the 15 domains. The analysis uncovered 10,812 unique email‑connected domains, of which 11 were confirmed malicious by threat‑intelligence feeds. Five of these malicious domains—bitpiecn.com.cn, ld018.com, meta‑mask.org.cn, one‑key.org.cn, and t0kenpocket.cn—were linked to malware distribution between March 9 2023 and April 27 2026.
Additionally, 18 new IP addresses were identified after filtering out the sole IP IoC. Threat‑intelligence queries revealed that eight of these IPs had been involved in prior attacks.
The FakeWallet campaign demonstrates how attackers can exploit the iOS ecosystem by masquerading as legitimate wallet apps and leveraging social engineering to trick users into installing trojanized software. The malware’s ability to harvest recovery phrases and private keys poses a direct threat to users of popular wallets such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet.
Security teams are advised to verify the authenticity of wallet apps before installation and to monitor for the identified subdomains, domains, and IP addresses. Apple has removed the identified FakeWallet apps from the App Store, and the company has urged users to update their wallets to the latest official releases.
The investigation remains ongoing, with researchers continuing to monitor the identified IoCs for new activity. No regulatory actions or court proceedings have been reported at this time.
