Trend Micro’s Threat Research team has uncovered a web of 249 fake cryptocurrency wallet apps, which at present have facilitated the theft of over $4.3 million. With many of the fake apps still at large, read on to learn how to avoid becoming another victim.

How the scam works

The hackers have created numerous different fake crypto wallet apps designed to perfectly mimic real ones, including apps from MetaMask, imToken, Bitpie, and Trust Wallet.

The hackers are clever — they are targeting their victims in multiple ways. Here’s what you need to watch out for:

SMS/Email

Impersonating legitimate crypto wallet app companies, the hackers have been sending out text messages and emails with malicious links that lead to download pages for their fake apps.

Although the scammers are regularly updating the content of the messages, they most commonly say that the current version of your crypto wallet app is out of date and you need to click on the embedded link to download the newest version or that there is some sort of issue with your wallet and it needs to be restored (as seen in the image above).

Fake crypto wallet websites

The hackers have created fake versions of official crypto wallet app websites with similar, but slightly different domain names from the legitimate ones. Some of these copycat websites appear very high in search results and look exceptionally similar to the real versions.

Fake tech support messages on social media/in crypto communities

Again, disguising themselves as official crypto wallet app companies, the hackers have been posting fake tech support messages on various social media platforms and in official cryptocurrency communities. Their messages are designed to get people to click on the links to their copycat websites.

Fake customer service over the phone

The hackers have also been contacting potential victims over the phone, posing as customer service representatives of crypto wallet app companies and tricking people into downloading their fake apps.

249 fake crypto wallet apps — MetaMask, imToken, Bitpie, Trust Wallet, and TokenPocket

The Threat Research team discovered a fake version of all the most popular crypto wallet apps available, including imToken, Bitpie, MetaMask, Trust Wallet, and TokenPocket. A total of 249 fake apps were discovered, which the team found were downloaded by victims in countries all over the world, including the United States, France, Germany, Australia, New Zealand, and Japan.

All the hackers want is your “mnemonic phrase”

Through thorough analysis of multiple samples, Trend Micro’s Threat Research team found out that all the fake apps and websites work the same way: they steal victims’ mnemonic phrases, which grants the hackers access to the victims’ crypto wallets and enables them to transfer all the cryptocurrency out of the victims’ accounts.

A mnemonic phrase is a series of unrelated words that are generated when a crypto wallet is created. Typically, they are 12 or 24 words long. In the event that a crypto wallet is lost or damaged, a mnemonic phrase can be used to recover a user’s cryptocurrency. Once a mnemonic phrase is entered onto one of these fake apps or websites, it is sent directly to the hackers.

The investigation

During their investigation, Trend Micro’s Threat Research team discovered that the backend management system for one of the fake crypto wallet apps contained numerous stolen mnemonic phrases from multiple different fake wallet apps — proof that the hackers can manage numerous fake crypto wallet apps concurrently.

The Threat Research team also joined a public Telegram group where hackers are openly selling their fake cryptocurrency apps, copycat websites, and backend management systems — everything needed to steal cryptocurrency. The hackers say they can provide fake versions of all the major cryptocurrency wallet apps, meaning they can facilitate the theft of all the most popular cryptocurrencies including ETH, BTC, USDT, and BNB.

After the theft

After a victim’s mnemonic phrase is stolen, the hacker will immediately transfer all the victim’s cryptocurrency through multiple disposable wallets. After multiple transfers, the money is eventually split between several other wallets. During the investigation, the Threat Research team discovered that over $4.3 million had passed through one of the wallets.

Considering the fact that a hacker will normally have multiple wallets, and that the Threat Research team detected 249 fake crypto wallet apps, the amount of money stolen is highly likely to far exceed $4.3 million.

The team found fake versions of all the most popular crypto wallet apps on the market including:

• MetaMask
• imToken
• Bitpie
• Trust Wallet
• TokenPocket

How to protect yourself

1. Only download apps from the Google Play Store and the Apple App Store.
2. If you observe any suspicious behavior when updating a crypto wallet app, immediately terminate the update and uninstall the app.
3. To confirm the legitimacy of a crypto wallet app, the first time your transfer money, send only a small amount.
4. Install Trend Micro Mobile Security. Its cloud-based Smart Protection Network™ and Mobile App Reputation technology can stop threats before they can reach you. Learn more about Trend Micro Mobile Security by clicking the button below.