Cybersecurity researchers have uncovered a significant threat on Apple's App Store, where 26 malicious applications, collectively known as FakeWallet, were found impersonating popular cryptocurrency wallets. These apps were designed to steal users' recovery seed phrases and private keys, potentially leading to the loss of digital assets. Many of these apps have since been removed by Apple following the disclosure.

Key Takeaways

• 26 malicious apps disguised as popular crypto wallets were found on the Apple App Store.

• These apps aimed to steal users' cryptocurrency seed phrases and private keys.

• The campaign, dubbed FakeWallet, has been active since at least Fall 2025.

• Apple has removed the identified apps after being notified.

• The campaign primarily targeted users in China but has no geographic restrictions.

The FakeWallet Campaign Unveiled

Researchers discovered that the FakeWallet apps mimicked well-known wallets such as MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. These malicious applications often used subtle typos in their names or misleading icons to trick users into downloading them. In some cases, the apps acted as placeholders, directing users to download official wallet apps through them by claiming unavailability in the App Store due to regulatory reasons.

How the Scam Worked

Once launched, these fake wallet apps would redirect users to browser pages designed to look like the App Store. From there, they would prompt users to download trojanized versions of legitimate wallets. These infected apps were engineered to hijack recovery phrases and private keys. The malware achieved this by either hooking into the code responsible for the recovery phrase input screen or by presenting a phishing page that requested the seed phrase as part of a supposed verification process. The stolen information was then encrypted and sent to external servers, allowing attackers to gain control of victims' wallets and drain their cryptocurrency.

Sophisticated Tactics and Potential Links

While some apps directly contained malicious code, others leveraged enterprise provisioning profiles to install trojanized wallet apps without going through Apple's standard review process. This technique allows for the sideloading of apps outside the App Store. Researchers suspect the FakeWallet campaign might be linked to the SparkKitty trojan campaign, given the use of optical character recognition (OCR) to steal wallet recovery phrases and the apparent targeting of cryptocurrency assets by native Chinese speakers.

Broader Implications and User Advice

The FakeWallet campaign highlights the evolving tactics used by cybercriminals to target cryptocurrency users. While many of the identified apps have been removed, the threat landscape for crypto users remains dynamic. Users are advised to exercise extreme caution when downloading cryptocurrency wallet applications, to only download from verified developers, and to be wary of any redirection prompts or requests for sensitive information outside of official app channels. The campaign primarily targeted users in China due to regional restrictions on crypto apps, but the malware itself does not have geographic limitations.

Sources

• 26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases, The Hacker News.

• 26 Trojan Crypto Wallet Apps Infiltrated Apple's App Store, Kaspersky Warns, Yellow.com.

• Apple’s App Store found hosting ‘FakeWallet’ crypto-stealing apps, CyberInsider.

• FakeWallet crypto stealer spreading in the App Store, Securelist.

• Crypto stealing wallet apps proliferate in Apple App Store | brief, SC Media.