Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Hackers Clone Crypto Wallets to Steal Users' Funds

Backdoored Apps Allow Normal Functioning of Wallet While Exfiltrating Master Key
Hackers Clone Crypto Wallets to Steal Users' Funds
A cloned Coinbase Wallet website hosted at som-coinbase[.]com (Source: Confiant)

Technically sophisticated thieves are stealing cryptocurrency by impersonating popular smartphone wallet apps for the Apple and Android platforms.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

Researchers at security firm Confiant say the theft campaign is run by China-linked threat actors.

Dubbed SeaFlower, the campaign mainly targets users of Chinese search engines through links to malicious cryptocurrency wallet apps ostensibly from MetaMask, Coinbase, imToken and TokenPocket.

The malicious apps contain code allowing hackers to exfiltrate users' seed phrases - the list of random words allotted to new wallet users that effectively acts as a wallet recovery master key.

SeaFlower is "the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group," the Confiant researchers say.

Theft and fraud continue to plague the cryptocurrency market, and blockchain analysis firm Chainalysis pegs the value of illicit transactions conducted during the last year at $14 billion.

Theft from actors such as the SeaFlower gang have irreversible effects, says James McQuiggan, a security awareness advocate at cybersecurity firm KnowBe4. Cryptocurrency wallets don't have the same regulatory protections as traditional banking systems.

"If a cybercriminal gains access to someone's crypto wallet or account, they can quickly move the funds to their accounts," he says.

Modus Operandi

SeaFlower isn't a campaign of malicious hacking into consumer wallet apps. Instead, it depends on users downloading seemingly legitimate wallet apps that contain a backdoor for seed phrase exfiltration.

The campaign's technical sophistication makes it different from other web3 digital theft efforts, the researchers say. It's not common to observe reverse engineering of apps complete with automatic deployment and legitimate developer provisioning profiles for the Apple App Store.

The researchers say they informed Apple of the developer IDs the thieves used to code iOS apps, which Apple revoked. The company did not immediately reply to a request for comment.

Users encounter the malicious apps via searches such as "download metamask ios" on Chinese search engines, which display links to cloned websites of legitimate wallet apps.

"Search engines are one of the clear entry points for SeaFlower that we identified to this date, redirecting mobile users to fake/cloned wallet download websites. In particular, Baidu search engine results are one of the initial vectors for these attacks," the researchers say, referring to the dominant Chinese search engine.

For iOS devices, the malicious apps are sideloaded from the cloned webpages onto the smartphone, meaning the app isn't installed through the official Apple App Store. Users are unable to see the difference between the malicious app and the real thing.

"The user experience, the UI and all the wallet functionality are unchanged, normal/advanced users won't notice anything while using the app on their phones: it is the legitimate app from the AppStore/Play Store with a sneaking backdoor in it," the researchers say.

The backdoored wallets send traffic to web domains meant to mimic legitimate domains, such as trx.lnfura[.]org in place of, or metanask[.]cc instead of

About SeaFlower

First identified in March this year, the campaign's name has an interesting origin story that functions as one clue among many that the thieves are Chinese speakers.

Confiant says one of the injected executable files of the backdoored metamask app leaked a macOS username: Zhang Haike.

Zhang Haike is a character in a Chinese novel called "Tibetan Sea Flower."

The researchers also found source code comments written in Chinese.

In addition, much of the technical infrastructure underpinning the malicious apps had links to the Chinese and Hong Kong IP address spaces, including "provisioning profiles, signing infrastructure, and app provisioning infrastructure." There were also domains registered with the country code top-level domain for China.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.