Cybersecurity researchers at Slovak cybersecurity firm ESET have peeled back the layers of a sophisticated cryptocurrency scam targeting Chinese users.
The scammers created counterfeits of legitimate Android and iOS digital wallet applications to redirect cryptocurrency funds. “These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” reported senior researcher at Slovak cyber security firm ESET, Lukáš Štefanko. Trojan horse apps targeted Android users without a genuine app. In contrast, iOS users could have installed authentic and counterfeit apps.
The counterfeit wallet services were promoted via fake wallet websites targeting Chinese users and recruiting intermediaries through Telegram and Facebook groups to dupe visitors into downloading the app.
When did it start?
Investigations beginning in May 2021 revealed a single criminal group as the individuals responsible for creating “trojan horse” wallet services that copied the functionality of the original applications, incorporating malicious code responsible for redirecting crypto assets. The malicious code was injected into the app in places that would escape cursory examination.
“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection,” said Štefanko. This presents a secondary threat since other criminals eavesdropping on this unsecured link could steal the seed phrases.
Hack can spread, warns expert
ESET found multiple groups promoting the trojan horse applications on Telegram, the messaging application and sharing them on 56 Facebook groups. All communication on the Telegram groups was done in Chinese. Individuals promoting these applications were promised a 50% cut of the stolen crypto.
The fake iOS applications were not available on the Apple App Store but rather through malicious sites and used configuration profiles unauthorized by Apple. Thirteen fake Android apps masquerading as Jaxx Liberty Wallet on Google’s Play Store were removed from the marketplace by Jan. 2022, not before being installed over 1000 times. Štefanko said the apps tried to steal the user’s recovery seed phrase and then forward them to a server or a Telegram group.
ESET warns users of the possibility of the hack affecting other parts of society. “Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread this threat even further,” Štefanko added.
What do you think about this subject? Write to us and tell us!
Disclaimer
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.