In March 2026, researchers uncovered a sophisticated campaign involving more than twenty phishing applications in the Apple App Store masquerading as popular cryptocurrency wallets such as MetaMask, Ledger, and Coinbase. These apps utilize typosquatting and functional placeholders to bypass security filters, eventually redirecting users to install trojanized versions via malicious iOS provisioning profiles. The campaign, which appears to have been active since 2025, is primarily designed to hijack recovery phrases and private keys from both hot and cold wallets.
Technically, the threat actors employ malicious library injections and method swizzling to hook into legitimate app functions. By hijacking initialization processes or modifying React Native source code, the malware scrapes mnemonics directly from the user interface. These credentials are encrypted via RSA and exfiltrated to command-and-control servers. While the campaign currently targets the Chinese App Store region, its automated phishing notifications can adapt to various locales, posing a global risk to cryptocurrency users.
Top comments (0)