As if those in the crypto market didn’t have enough to worry about, a new group of Chinese hackers has been observed distributing pre-hacked versions of legitimate Web3 wallets via cloned websites.
The scammers are targeting web browser searches for particular types of wallets, and have managed to achieve high placement in search results. The attack primarily targets users looking to “sideload” these Web3 wallets onto their phones outside of an app store, and both iOS and Android versions of the fake wallets are being distributed.
Extremely accurate copies of Web3 wallet websites bait users into downloading compromised product
The Chinese hackers are reportedly making near-perfect copies of the legitimate websites that certain Web3 wallets offer direct downloads through. The bogus website links to an equally legitimate-looking copy of the wallet itself, but one that has had code inserted into it to allow the attackers to remotely drain it at a time of their choosing.
The one consistent clue that these spoofed websites are bogus are the URLs, which generally incorporate some element of the wallet they’re copying but are not close matches to the legitimate sites. In spite of being obvious copies of existing websites, the Chinese hackers appear to be successfully using search engine optimization techniques to place highly in results of searches for these Web3 wallets. The cloned websites are presented in Chinese and English, and they appear to be having the most success with results from China’s leading search engine Baidu.
While websites that allow direct download and sideloading of apps are not uncommon in the Android space, it is more unusual with iOS. To facilitate installation on Apple devices, the fake Web3 wallets include “provisioning profiles” used by legitimate app development kits that allow for apps to be temporarily installed and run outside of the App Store.
The legitimate versions of these Web3 wallets remain safe, and most are available through each OS’s official app stores. The Chinese hackers have no way in to these wallets unless the victim downloads their compromised version from one of these fake sites.
Chinese hackers wait for victims to transfer funds, can drain wallets in minutes
The attack is particularly insidious because the fake Web3 wallets will function as expected, at least up until the moment the Chinese hackers decide to make use of the backdoor function and drain them. The hackers generally steal the seed phrase as the user enters it during wallet setup, then make use of it to remotely “recover” the wallet at an opportune time.
The connection to China was established by security researchers with Confiant, who named the group “SeaFlower.” The researchers cited a number of links, including the use of Chinese language in the backdoor code and pieces of the group’s infrastructure residing in that country.
Thus far the hackers have targeted four types of wallets: Coinbase Wallet, imToken, MetaMask and Token Pocket. However, researchers warn that the group is still highly active and could expand to other Web3 wallets.