FakeWallet crypto stealer spreading in the App Store
In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages that distribute trojanized versions of legitimate wallets designed to steal recovery phrases and private keys. The campaign primarily targets users in China, exploiting regional restrictions that prevent official crypto wallet apps from being available in the Chinese App Store. Attackers use typosquatting and fake promotional materials to deceive users. The infected applications leverage iOS enterprise provisioning profiles for distribution and employ various techniques including malicious library injection and source code modification. The campaign has been active since at least fall 2025 and targets major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Some infected apps also contained SparkKitty modules, suggesting potential links between threat actors.
AI Analysis
Technical Summary
This threat involves a malware campaign distributing FakeWallet crypto stealer apps through the Apple App Store, primarily targeting Chinese users by masquerading as legitimate cryptocurrency wallets. The malicious apps redirect victims to trojanized wallet versions that steal sensitive wallet credentials such as recovery phrases and private keys. The attackers leverage iOS enterprise provisioning profiles for app distribution and employ advanced techniques including malicious library injection and source code modification. The campaign uses typosquatting and fake promotional content to increase user deception. Targeted wallets include major crypto wallets like MetaMask, Ledger, and Coinbase. The presence of SparkKitty modules in some apps suggests possible collaboration or shared tooling among threat actors. This is a malware distribution campaign exploiting social engineering and platform trust rather than a software vulnerability with a patch.
Potential Impact
Users who install these fake wallet apps risk having their cryptocurrency wallet recovery phrases and private keys stolen, potentially resulting in loss of funds. The campaign exploits regional restrictions in the Chinese App Store to target users who cannot access official wallet apps. The use of enterprise provisioning profiles and code injection techniques increases the stealth and persistence of the malware. There is no indication of direct exploitation of a software vulnerability, but the social engineering and malware distribution pose a significant threat to affected users' cryptocurrency assets.
Mitigation Recommendations
No official patch or fix exists because this is a malware distribution campaign rather than a software vulnerability. Users should avoid downloading cryptocurrency wallet apps from unofficial sources or apps not verified by Apple. Users in regions with restricted access to official wallet apps should exercise heightened caution and verify app authenticity through official channels. Apple is responsible for app store security and should continue to remove malicious apps and revoke enterprise certificates used for distribution. Monitoring vendor advisories and security reports for updates is recommended.
Affected Countries
China
Indicators of Compromise
- domain: appstoreios.com
- domain: iosfc.com
- hash: 0565364633b5acdd24a498a6a9ab4eca
- hash: 114721fbc23ff9d188535bd736a0d30e
- hash: 19733e0dfa804e3676f97eff90f2e467
- hash: 31d25ddf2697b9e13ee883fff328b22f
- hash: 4126348d783393dd85ede3468e48405d
- hash: 417ae7f384c49de8c672aec86d5a2860
- hash: 5bdae6cb778d002c806bb7ed130985f3
- hash: 686989d97cf0d70346cbde2031207cbf
- hash: 79fe383f0963ae741193989c12aefacc
- hash: 7b4c61ff418f6fe80cf8adb474278311
- hash: 7e678ca2f01dc853e85d13924e6c8a45
- hash: 84c81a5e49291fe60eb9f5c1e2ac184b
- hash: 8cbd34393d1d54a90be3c2b53d8fc17a
- hash: 8d45a67b648d2cb46292ff5041a5dd44
- hash: 8f51f82393c6467f9392fb9eb46f9301
- hash: b639f7f81a8faca9c62fd227fef5e28c
- hash: bafba3d044a4f674fc9edc67ef6b8a6b
- hash: be9e0d516f59ae57f5553bcc3cf296d1
- hash: d138a63436b4dd8c5a55d184e025ef99
- hash: d48b580718b0e1617afc1dec028e9059
- hash: fd0dc5d4bba740c7b4cc78c4b19a5840
- url: https://139.180.139.209/prod-api/system/confData/getUserConfByKey/
- url: https://6688cf.jhxrpbgq.com/6axqkwuq
- url: https://api.dc1637.xyz
- url: https://api.npoint.io/153b165a59f8f7d7b097
- url: https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31
- url: https://crypto-stroe.cc/
- url: https://helllo2025.com/api/open/postByTokenpocket
- url: https://iosfc.com/ledger/ios/Rsakeycatch.php
- url: https://kkkhhhnnn.com/api/open/postByTokenpocket
- url: https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF
- url: https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n
- url: https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5
- url: https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc
- url: https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb
- url: https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ
- url: https://nmu8n.com/tpocket/ios/Rsakeyword.php
- url: https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf
- url: https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca
- url: https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n
- url: https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN
- url: https://sxsfcc.com/api/open/postByTokenpocket
- url: https://www.gxzhrc.cn/download/
- url: https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35
- url: https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737
- url: https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=
- url: https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=
- url: https://yjzhengruol.com/s/3f605f
- url: https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860
- url: https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f
- url: https://zmx6f.com/btp/ios/receiRsakeyword.php
- domain: crypto-stroe.cc
- domain: helllo2025.com
- domain: kkkhhhnnn.com
- domain: nmu8n.com
- domain: sxsfcc.com
- domain: yjzhengruol.com
- domain: zmx6f.com
- domain: 6688cf.jhxrpbgq.com
- domain: api.dc1637.xyz
- domain: mgi1y.siyangoil.com
- domain: mti4ywy4.lahuafa.com
- domain: mtjln.siyangoil.com
- domain: mziyytm5ytk.ahroar.com
- domain: ngy2yjq0otlj.ahroar.com
- domain: ntm0mdkzymy3n.oukwww.com
- domain: nziwytu5n.lahuafa.com
- domain: odm0.siyangoil.com
- domain: www.gxzhrc.cn
- domain: xz.apps-store.im
- domain: zdrhnmjjndu.ulbcl.com
FakeWallet crypto stealer spreading in the App Store
Description
In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages that distribute trojanized versions of legitimate wallets designed to steal recovery phrases and private keys. The campaign primarily targets users in China, exploiting regional restrictions that prevent official crypto wallet apps from being available in the Chinese App Store. Attackers use typosquatting and fake promotional materials to deceive users. The infected applications leverage iOS enterprise provisioning profiles for distribution and employ various techniques including malicious library injection and source code modification. The campaign has been active since at least fall 2025 and targets major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Some infected apps also contained SparkKitty modules, suggesting potential links between threat actors.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a malware campaign distributing FakeWallet crypto stealer apps through the Apple App Store, primarily targeting Chinese users by masquerading as legitimate cryptocurrency wallets. The malicious apps redirect victims to trojanized wallet versions that steal sensitive wallet credentials such as recovery phrases and private keys. The attackers leverage iOS enterprise provisioning profiles for app distribution and employ advanced techniques including malicious library injection and source code modification. The campaign uses typosquatting and fake promotional content to increase user deception. Targeted wallets include major crypto wallets like MetaMask, Ledger, and Coinbase. The presence of SparkKitty modules in some apps suggests possible collaboration or shared tooling among threat actors. This is a malware distribution campaign exploiting social engineering and platform trust rather than a software vulnerability with a patch.
Potential Impact
Users who install these fake wallet apps risk having their cryptocurrency wallet recovery phrases and private keys stolen, potentially resulting in loss of funds. The campaign exploits regional restrictions in the Chinese App Store to target users who cannot access official wallet apps. The use of enterprise provisioning profiles and code injection techniques increases the stealth and persistence of the malware. There is no indication of direct exploitation of a software vulnerability, but the social engineering and malware distribution pose a significant threat to affected users' cryptocurrency assets.
Mitigation Recommendations
No official patch or fix exists because this is a malware distribution campaign rather than a software vulnerability. Users should avoid downloading cryptocurrency wallet apps from unofficial sources or apps not verified by Apple. Users in regions with restricted access to official wallet apps should exercise heightened caution and verify app authenticity through official channels. Apple is responsible for app store security and should continue to remove malicious apps and revoke enterprise certificates used for distribution. Monitoring vendor advisories and security reports for updates is recommended.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/fakewallet-cryptostealer-ios-app-store/119482/"]
- Adversary
- null
- Pulse Id
- 69e5ff33953b2bfaa5b6c105
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainappstoreios.com | — | |
domainiosfc.com | — | |
domaincrypto-stroe.cc | — | |
domainhelllo2025.com | — | |
domainkkkhhhnnn.com | — | |
domainnmu8n.com | — | |
domainsxsfcc.com | — | |
domainyjzhengruol.com | — | |
domainzmx6f.com | — | |
domain6688cf.jhxrpbgq.com | — | |
domainapi.dc1637.xyz | — | |
domainmgi1y.siyangoil.com | — | |
domainmti4ywy4.lahuafa.com | — | |
domainmtjln.siyangoil.com | — | |
domainmziyytm5ytk.ahroar.com | — | |
domainngy2yjq0otlj.ahroar.com | — | |
domainntm0mdkzymy3n.oukwww.com | — | |
domainnziwytu5n.lahuafa.com | — | |
domainodm0.siyangoil.com | — | |
domainwww.gxzhrc.cn | — | |
domainxz.apps-store.im | — | |
domainzdrhnmjjndu.ulbcl.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0565364633b5acdd24a498a6a9ab4eca | — | |
hash114721fbc23ff9d188535bd736a0d30e | — | |
hash19733e0dfa804e3676f97eff90f2e467 | — | |
hash31d25ddf2697b9e13ee883fff328b22f | — | |
hash4126348d783393dd85ede3468e48405d | — | |
hash417ae7f384c49de8c672aec86d5a2860 | — | |
hash5bdae6cb778d002c806bb7ed130985f3 | — | |
hash686989d97cf0d70346cbde2031207cbf | — | |
hash79fe383f0963ae741193989c12aefacc | — | |
hash7b4c61ff418f6fe80cf8adb474278311 | — | |
hash7e678ca2f01dc853e85d13924e6c8a45 | — | |
hash84c81a5e49291fe60eb9f5c1e2ac184b | — | |
hash8cbd34393d1d54a90be3c2b53d8fc17a | — | |
hash8d45a67b648d2cb46292ff5041a5dd44 | — | |
hash8f51f82393c6467f9392fb9eb46f9301 | — | |
hashb639f7f81a8faca9c62fd227fef5e28c | — | |
hashbafba3d044a4f674fc9edc67ef6b8a6b | — | |
hashbe9e0d516f59ae57f5553bcc3cf296d1 | — | |
hashd138a63436b4dd8c5a55d184e025ef99 | — | |
hashd48b580718b0e1617afc1dec028e9059 | — | |
hashfd0dc5d4bba740c7b4cc78c4b19a5840 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://139.180.139.209/prod-api/system/confData/getUserConfByKey/ | — | |
urlhttps://6688cf.jhxrpbgq.com/6axqkwuq | — | |
urlhttps://api.dc1637.xyz | — | |
urlhttps://api.npoint.io/153b165a59f8f7d7b097 | — | |
urlhttps://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31 | — | |
urlhttps://crypto-stroe.cc/ | — | |
urlhttps://helllo2025.com/api/open/postByTokenpocket | — | |
urlhttps://iosfc.com/ledger/ios/Rsakeycatch.php | — | |
urlhttps://kkkhhhnnn.com/api/open/postByTokenpocket | — | |
urlhttps://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF | — | |
urlhttps://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n | — | |
urlhttps://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5 | — | |
urlhttps://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc | — | |
urlhttps://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb | — | |
urlhttps://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ | — | |
urlhttps://nmu8n.com/tpocket/ios/Rsakeyword.php | — | |
urlhttps://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf | — | |
urlhttps://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca | — | |
urlhttps://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n | — | |
urlhttps://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN | — | |
urlhttps://sxsfcc.com/api/open/postByTokenpocket | — | |
urlhttps://www.gxzhrc.cn/download/ | — | |
urlhttps://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35 | — | |
urlhttps://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737 | — | |
urlhttps://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c= | — | |
urlhttps://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c= | — | |
urlhttps://yjzhengruol.com/s/3f605f | — | |
urlhttps://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860 | — | |
urlhttps://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f | — | |
urlhttps://zmx6f.com/btp/ios/receiRsakeyword.php | — |
Threat ID: 69e60e8319fe3cd2cde3130b
Added to database: 4/20/2026, 11:31:15 AM
Last enriched: 4/20/2026, 11:46:07 AM
Last updated: 4/21/2026, 6:35:14 AM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.