Hackers Clone Popular Crypto Wallets to Steal Tokens

Close up of Coinbase and Wallet Smartphone apps on a dark screen

Researchers at adtech security firm Confiant have uncovered a malicious cyber campaign where hackers deploy clones of popular crypto wallets, such as Coinbase and MetaMask, to steal users’ digital tokens. On June 12, the researchers published an article on Medium, shedding light on the sophisticated campaign, called SeaFlower.

Confiant’s threat intelligence team first noticed the malicious activity in March this year. The SeaFlower campaign involves deploying clones of popular crypto wallets. The hackers use various techniques to spread the cloned wallets to iOS and Android devices.

These clones are virtually identical to the legitimate wallets they’re ripping off, albeit with one major difference—a backdoor that allows the threat actor to steal users’ seed phrases. Seed phrases are recovery codes that are unique to individual accounts. With seed phrases, hackers can access their victim’s wallet and steal its contents.

Confiant said SeaFlower is currently targeting both iOS and Android versions of Coinbase, MetaMask, Token Pocket, and ImToken. While the researchers have not identified the threat actor, they suspect it is a Chinese-speaking group.

Sophisticated Campaign Also Uses Cloned Websites

According to the researchers, the cloned apps are deceptively similar to their original counterparts, and users will hardly notice any difference in functionality. However, a closer look at the network monitoring requests reveals some suspicious activity.

Confiant’s researchers noticed a single network request sent to “weird-looking domains” over HTTPS. After decrypting the traffic, they found that the data sent to the threat actor includes the seed phrase, wallet address, and balance of wallets.

Furthermore, the hackers use fake websites that are identical to the wallets’ legitimate sites to deceive victims and distribute the cloned apps.

The hackers also use provisioning profiles to bypass Apple’s protections against third-party apps to spread the cloned app to iOS devices. Provisioning profiles are profiles that enable developers to test out their apps on Apple devices. This way, the attackers sideload the app onto their victims’ phones.

Cloned Wallets Spread Through SEO Poisoning

The researchers found that the first point of entry for the campaign is search engines, which the hackers use to direct victims to the cloned websites.

SeaFlower relies on techniques such as SEO poisoning to have their websites show up on search engine results. The popular Chinese search engine, Baidu, is one of the attack vectors the hackers use to snag unsuspecting victims.

Since the researchers found strong Chinese-language links to the campaign, they were curious to see if Baidu users were targeted.

“We searched for “download metamask ios” and one of the baidu links on the first results page redirected us to token18[.]app website, which was SeaFlower Drive-by download page, sweet!” the researchers wrote.

The best way to protect yourself from such attacks is to always download crypto wallets from official app stores. Apple users must never accept random provisioning profile requests, as this could lead to the side-loading of potentially malicious software.

To learn more about backdoors to apps, and the best ways to protect yourself, check out our article on Trojans. We also recommend taking a look at this article on cryware to learn about the latest malware targeting crypto wallets.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.