A recent research report has uncovered a campaign that sought to empty cryptomoneda portfolios through fraudulent applications hosted in the Apple App Store. Security researchers have identified 26 malicious apps posing as known wallets - Metamask, Coinbase, Trust Wallet, OneKey and others - with the intention of capturing the recovery phrases (seed phrases) and allowing direct fund theft.
The engineering of deception combined simple but effective techniques: orthographic variations of the name of legitimate applications (typosquatting), logos and counterfeit catches and until the publication of these apps as games or calculators to hide their real goal. This "harmless" appearance had a strategic purpose: many of the crypto applications are restricted or directly blocked in certain markets, so presenting them as harmless software is a way of overcoming barriers and gaining user confidence.
According to Kaspersky's analysis, the 26 copies are part of a single campaign labeled FakeWallet, which researchers relate to a previous operation known as SparkKitty. When a victim opens the app, the flow redirects it to phishing pages that perfectly mimic the web covers of the crypt services. These pages not only ask for credentials: they induce the user to download broken versions of purse using iOS supply profiles, a legitimate Apple mechanism that, when abused, allows the sideloading of code not approved by the App Store.
The abuse of supply profiles is the critical link of the scam. Apple offers business and developer mechanisms that facilitate the direct installation of apps on devices; these same mechanisms can be used to avoid regular store review and distribute malicious software. Kaspersky documents how fraudulent pages install profiles that allow to run the threaded apps outside the normal flow of the App Store.
Once installed, these apps include code that intercepts the mnemonic phrases when the user creates or recovers a portfolio. The captured text is numbered and sent to the fraud operator. In the case of cold portfolios (hardware wallets) such as Ledger, the attackers used fraudulent verification screens within the app to persuade the user to manually enter his seed phrase under the excuse of a security check. That phrase, which should never be shared, allows the portfolio to be restored to another device and the assets to be transferred immediately.
We must understand it without technicalities: the seed phrase is the master key to a portfolio. Whoever knows it can recreate the portfolio and move the funds without the possibility of reversing the operation in most blockchains. This is why specialists repeat a simple and strong maximum: never enter your recovery phrase into an app or web, not even if it looks official.
Kaspersky's team warns that, although the campaign focused on users in China, the code and methods do not incorporate intrinsic geographical restrictions: if operators decide to extend their target, users from other regions could be affected. Apple removed the 26 applications of the App Store after the responsible notification of Kaspersky, but there are still questions about how these binaries managed to pass the store's initial controls and whether there were violations in the validation process.
The incident is not isolated. Last week, a false Ledger app was also reported to have arrived at the App Store and reportedly facilitated the theft of approximately $9.5 million in cryptomonedas from affected users' macOS computers. Specialized means such as BleepingComputer have tried to get more information from Apple on how the controls were avoided, without receiving an immediate response at the time of its publication.
What practical measures can users take to protect themselves? First of all, always check the source of the link you use to download a portfolio: access from the official supplier's page or from the links that that supplier publishes on its verified channels. If an app requests to install a supply profile or access advanced system options, it is necessary to suspect by default and close the process until it is legitimate.
In addition, it avoids introducing the seed phrase into applications or websites. The hardware portfolios are designed so that the phrase never comes out of the device; if any screen asks for the seed "for safety," it is a sign of fraud. Hardware wallet companies often explain the safe use of the phrase in their help resources, such as Ledger's guide to what is a seed phrase ( Ledger Academy).
Updating the operating system and applications, carefully reading the developer's identity on the App Store tab, and distrusting facilities that depend on business profiles are additional steps to minimize risks. If you have recently installed an app that requested a profile and doubts of its origin, uninstall it and remove any associated profile from the device settings. To better understand the technical framework that the attackers exploit, documentation on Apple's developer and company programs offers context on supply profiles ( Apple Developer Enterprise Program).
If you think your seed phrase has been compromised, the most prudent thing is to move the funds to a new portfolio whose backup has never been exposed anywhere and, if you use hardware walk, activate advanced protection functions such as passphrases or additional protected accounts. The incident should also be notified to the wallet provider and the fraud should be reported to the local authorities and platforms where you found the app.
In the background, these attacks recall a classic digital security lesson: the chains of trust are as strong as the weakest link. When a malicious app is able to simulate a legitimate service, the responsibility lies in part with the detection mechanisms and the user's caution, but also with the need for app stores and developers to strengthen controls and official distribution channels. Maintaining the guard and applying digital hygiene practices remains the best defense.
The Kaspersky report ( FakeWallet analysis in Securelist) and the coverage of related incidents in specialized media such as BleepingComputer.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...