Phishing Campaign Targets Crypto Wallets on iOS
TL;DR
A recent phishing campaign discovered by Kaspersky involved over 20 malicious apps on the Apple App Store masquerading as popular cryptocurrency wallets. These apps exploit users by hijacking sensitive information such as recovery phrases and private keys.
Main Analysis
In March 2026, Kaspersky identified a surge of phishing applications in the Apple App Store, particularly targeting users in China. These apps, disguised as well-known cryptocurrency wallets like MetaMask and Trust Wallet, leverage typosquatting by using similar names and icons to evade detection. Once downloaded, they redirect users to deceptive browser links that not only compromise sensitive information but also facilitate the installation of trojanized wallet versions. The malware specifically focuses on capturing crucial user input, including recovery phrases and private keys, which are essential for accessing and managing cryptocurrency assets.
The campaign reflects a continuation of similar threats observed in earlier years, marked by evolving tactics and enhanced methodologies. The use of functional placeholders, such as games or task planners, allows these phishing apps to appear legitimate while executing malicious activities. Additionally, Kaspersky’s analysis indicated that much of this activity has been ongoing since late 2025, suggesting a well-established, ongoing threat against crypto wallet users.
Defensive Context
Organizations involved in cryptocurrency transactions or holding digital assets should be particularly vigilant. Users who download apps from the App Store that are not officially endorsed by recognized crypto wallet providers may be susceptible to this phishing scheme. The attack leverages well-known brands in the crypto space, aiming to deceive individuals already navigating a complex and often confusing environment.
Why This Matters
The implications of this campaign are considerable, especially for users in the cryptocurrency ecosystem. Vulnerable users, particularly in markets where official wallet apps are restricted, are at a heightened risk of being targeted. While this campaign has mainly focused on the Chinese App Store, the global reach of phishing tactics means that English-speaking users can also fall victim if they engage with similar deceptive apps.
Defender Considerations
Organizations should monitor abnormal app behavior and report suspicious apps to Apple. Kaspersky has informed Apple, leading to the removal of several identified malicious apps. Special care should be taken around app permissions and warnings that suggest external links or downloads, particularly related to sensitive actions such as cryptocurrency transfers or wallet setups.
Indicators of Compromise (IOCs)
Infected cryptowallet IPA file hashes:
- 4126348d783393dd85ede3468e48405d
- b639f7f81a8faca9c62fd227fef5e28c
- d48b580718b0e1617afc1dec028e9059
Malicious React Native application hash:
- 84c81a5e49291fe60eb9f5c1e2ac184b
C2 addresses:
- hxxps://kkkhhhnnn.com/api/open/postByTokenpocket
- hxxps://iosfc.com/ledger/ios/Rsakeycatch.php
Organizations should remain alert to these threats as the attackers are continually developing more sophisticated tactics to compromise users’ sensitive data.
