FakeWallet crypto stealer spreading in the App Store

216.73.217.22

FakeWallet crypto stealer spreading in the App Store

· Published 20/04/2026 12:25 · Modified 20/04/2026 16:54

Essential information

Published: 20/04/2026 12:25
Modified: 20/04/2026 16:54
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: chinese targeting cryptocurrency enterprise certificates fakewallet ios phishing apps provisioning profiles sparkkitty app store credential theft cryptocurrency wallet
Tags: 2026-04-20 app store chinese targeting credential-theft cryptocurrency cryptocurrency wallet enterprise certificates fakewallet ios phishing apps provisioning profiles sparkkitty
Related entities: 53 indicators, 53 observables, 23 techniques (mitre), 2 malware, 22 others

Description

In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages that distribute trojanized versions of legitimate wallets designed to steal recovery phrases and private keys. The campaign primarily targets users in China, exploiting regional restrictions that prevent official crypto wallet apps from being available in the Chinese App Store. Attackers use typosquatting and fake promotional materials to deceive users. The infected applications leverage iOS enterprise provisioning profiles for distribution and employ various techniques including malicious library injection and source code modification. The campaign has been active since at least fall 2025 and targets major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Some infected apps also contained SparkKitty modules, suggesting potential links between threat actors.

Related entities

yjzhengruol.com
iosfc.com
helllo2025.com
sxsfcc.com
kkkhhhnnn.com
crypto-stroe.cc
appstoreios.com
nmu8n.com
zmx6f.com
mgi1y.siyangoil.com
nziwytu5n.lahuafa.com
mti4ywy4.lahuafa.com
zdrhnmjjndu.ulbcl.com
xz.apps-store.im
mtjln.siyangoil.com
www.gxzhrc.cn
ngy2yjq0otlj.ahroar.com
odm0.siyangoil.com
6688cf.jhxrpbgq.com
ntm0mdkzymy3n.oukwww.com
mziyytm5ytk.ahroar.com
api.dc1637.xyz
https://sxsfcc.com/api/open/postByTokenpocket
https://kkkhhhnnn.com/api/open/postByTokenpocket
https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35
https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=
https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ
https://zmx6f.com/btp/ios/receiRsakeyword.php
https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN
https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737
https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860
https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5
https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb
https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31
https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF
https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n
https://helllo2025.com/api/open/postByTokenpocket
https://crypto-stroe.cc/
https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f
https://www.gxzhrc.cn/download/
https://139.180.139.209/prod-api/system/confData/getUserConfByKey/
https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=
https://iosfc.com/ledger/ios/Rsakeycatch.php
https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n
https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc
https://api.npoint.io/153b165a59f8f7d7b097
https://6688cf.jhxrpbgq.com/6axqkwuq
https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca
https://nmu8n.com/tpocket/ios/Rsakeyword.php
https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf
https://api.dc1637.xyz
https://yjzhengruol.com/s/3f605f
ce5cb685b831d3eec4c86ca50b110827e7ad1f0e4fec41c4e4f87dcd97f262cb