CYBERSECURITY researchers have uncovered 26 malicious apps on the Apple App Store that impersonate popular crypto wallets to harvest recovery phrases and private keys, with activity dating back to at least fall 2025. The FakeWallet family mimics wallets such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket and Trust Wallet, and many of the apps were taken down by Apple after disclosure.
Once launched, the apps redirect users to lookalike browser pages and trojanised wallet versions, aiming to hijack mnemonic phrases and exfiltrate them to an external server. Kaspersky said the infection chain often delivers via a malicious library injection or by modifying the original wallet app, and some variants rely on phishing-style prompts to obtain mnemonics.
The campaign is believed to involve threat actors linked to the SparkKitty trojan campaign, with newer tactics including phishing notices and embedding into cold wallet apps, according to statements attributed to Kaspersky. according to Kaspersky, the end goal is to drain cryptocurrency assets by exfiltrating seed phrases from both hot and cold wallets.