Watch Out for Fake Crypto Wallet Apps, $4.3M Stolen — MetaMask, imToken, Bitpie, Trust Wallet, and More!

    fake crypto wallets

    Trend Micro’s Threat Research team has uncovered a web of 249 fake cryptocurrency wallet apps, which at present have facilitated the theft of over $4.3 million. With many of the fake apps still at large, read on to learn how to avoid becoming another victim.

    How the scam works

    The hackers have created numerous different fake crypto wallet apps designed to perfectly mimic real ones, including apps from MetaMask, imToken, Bitpie, and Trust Wallet.

    The hackers are clever — they are targeting their victims in multiple ways. Here’s what you need to watch out for:

    SMS/Email

    Impersonating legitimate crypto wallet app companies, the hackers have been sending out text messages and emails with malicious links that lead to download pages for their fake apps.

    FakeCrypto_Twitter_0120
    Source: Twitter

    Although the scammers are regularly updating the content of the messages, they most commonly say that the current version of your crypto wallet app is out of date and you need to click on the embedded link to download the newest version or that there is some sort of issue with your wallet and it needs to be restored (as seen in the image above).

    Fake crypto wallet websites

    The hackers have created fake versions of official crypto wallet app websites with similar, but slightly different domain names from the legitimate ones. Some of these copycat websites appear very high in search results and look exceptionally similar to the real versions.

    FakeCrypto_website_0120
    The legitimate site is on the left and the copycat site is on the right

    Fake tech support messages on social media/in crypto communities

    Again, disguising themselves as official crypto wallet app companies, the hackers have been posting fake tech support messages on various social media platforms and in official cryptocurrency communities. Their messages are designed to get people to click on the links to their copycat websites.

    FakeCrypto_Commu_0120
    Source: Twitter

    Fake customer service over the phone

    The hackers have also been contacting potential victims over the phone, posing as customer service representatives of crypto wallet app companies and tricking people into downloading their fake apps.

    249 fake crypto wallet apps — MetaMask, imToken, Bitpie, Trust Wallet, and TokenPocket

    The Threat Research team discovered a fake version of all the most popular crypto wallet apps available, including imToken, Bitpie, MetaMask, Trust Wallet, and TokenPocket. A total of 249 fake apps were discovered, which the team found were downloaded by victims in countries all over the world, including the United States, France, Germany, Australia, New Zealand, and Japan.

    FakeCrypto_Pop_0120
    The popularity of the fake apps
    FakeCrypto_Map_0120
    The fake apps’ global distribution

    All the hackers want is your “mnemonic phrase”

    Through thorough analysis of multiple samples, Trend Micro’s Threat Research team found out that all the fake apps and websites work the same way: they steal victims’ mnemonic phrases, which grants the hackers access to the victims’ crypto wallets and enables them to transfer all the cryptocurrency out of the victims’ accounts.

    A mnemonic phrase is a series of unrelated words that are generated when a crypto wallet is created. Typically, they are 12 or 24 words long. In the event that a crypto wallet is lost or damaged, a mnemonic phrase can be used to recover a user’s cryptocurrency. Once a mnemonic phrase is entered onto one of these fake apps or websites, it is sent directly to the hackers.

    The investigation

    During their investigation, Trend Micro’s Threat Research team discovered that the backend management system for one of the fake crypto wallet apps contained numerous stolen mnemonic phrases from multiple different fake wallet apps — proof that the hackers can manage numerous fake crypto wallet apps concurrently.

    The Threat Research team also joined a public Telegram group where hackers are openly selling their fake cryptocurrency apps, copycat websites, and backend management systems — everything needed to steal cryptocurrency. The hackers say they can provide fake versions of all the major cryptocurrency wallet apps, meaning they can facilitate the theft of all the most popular cryptocurrencies including ETH, BTC, USDT, and BNB.

    After the theft

    After a victim’s mnemonic phrase is stolen, the hacker will immediately transfer all the victim’s cryptocurrency through multiple disposable wallets. After multiple transfers, the money is eventually split between several other wallets. During the investigation, the Threat Research team discovered that over $4.3 million had passed through one of the wallets.

    FakeCrypto_Theft_0120

    Considering the fact that a hacker will normally have multiple wallets, and that the Threat Research team detected 249 fake crypto wallet apps, the amount of money stolen is highly likely to far exceed $4.3 million.

    The team found fake versions of all the most popular crypto wallet apps on the market including:

    • MetaMask
    • imToken
    • Bitpie
    • Trust Wallet
    • TokenPocket

    How to protect yourself

    1. Only download apps from the Google Play Store and the Apple App Store.
    2. If you observe any suspicious behavior when updating a crypto wallet app, immediately terminate the update and uninstall the app.
    3. To confirm the legitimacy of a crypto wallet app, the first time your transfer money, send only a small amount.
    4. Install Trend Micro Mobile Security. Its cloud-based Smart Protection Network™ and Mobile App Reputation technology can stop threats before they can reach you. Learn more about Trend Micro Mobile Security by clicking the button below.
    Post a comment

    Your email address won't be shown publicly.

    0 Comments

      This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings.