What happened
Kaspersky has identified 26 fake cryptocurrency wallet applications published to the Apple App Store as part of a campaign dubbed FakeWallet, active since at least fall 2025. The apps were first noticed in March after appearing frequently in Chinese App Store search results, where many legitimate wallet applications are unavailable due to regional restrictions. Threat actors exploited that gap by mimicking the names, icons, and branding of major wallets including Bitpipe, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet through typosquatting and lookalike listings.
The malicious apps were designed to harvest users’ recovery phrases, seed phrases, and private keys, and to hijack wallet restoration processes. Malicious code was delivered primarily via libraries but in some cases injected directly into wallet source code. Two Ledger-specific implants were identified targeting cold wallets. Kaspersky also found additional apps linked to the same threat actor that contained no active phishing functionality at the time of analysis, with the assessment that malicious features were likely waiting to be activated in a future update.
Beyond the App Store, Kaspersky identified a website impersonating the official Ledger site hosting links to the malicious applications, and compromised Android wallet apps distributed through Chinese-language phishing pages outside the Play Store. While the campaign appears primarily aimed at Chinese speakers, the malicious modules contain no built-in regional restrictions and some phishing notifications were observed adapting to the app’s language, indicating potential for broader targeting. The campaign shows links to SparkKitty malware uncovered in June 2025 based on distribution techniques, code characteristics, and overlapping modules. Apple has been notified and has begun removing the apps.
Who is affected
Cryptocurrency users who downloaded any of the 26 identified fake wallet apps face direct exposure of recovery phrases, seed phrases, and private keys, enabling complete loss of wallet contents. Although the campaign initially focused on Chinese App Store users, the absence of regional restrictions in the malicious code means users outside China are also at risk. Cold wallet users are specifically targeted through the Ledger implants.
Why CISOs should care
Malicious apps reaching the Apple App Store is not new, but a coordinated campaign of 26 fake wallets with dormant payloads waiting to be activated in future updates represents a more sophisticated and scalable threat than isolated cases. The dormant app pattern is particularly concerning for enterprise environments where employees may have installed an app that appeared clean at the time of review but is now a live credential harvester following a background update.
For security leaders managing environments with cryptocurrency exposure, whether through treasury operations, vendor payments, or employee personal devices on corporate networks, this campaign is a concrete indicator that app store vetting alone is not sufficient.
3 practical actions
- Audit cryptocurrency wallet apps on managed and BYOD devices: Kaspersky has published the list of 26 identified fake apps. Cross-reference installed applications against that list and remove any matches immediately, paying particular attention to apps installed since fall 2025.
- Treat dormant app functionality as an ongoing risk, not a one-time check: Apps that pass initial review can activate malicious features through updates. Mobile device management policies should include controls for monitoring app updates and flagging behavioral changes in applications with access to sensitive functions.
- Reinforce guidance on wallet app sourcing for employees with cryptocurrency exposure: Even on the App Store, users should verify wallet apps against the official developer’s website before downloading, check publisher names carefully for typosquatting, and avoid apps promoted through banners claiming to provide access to unavailable official wallets.
Also in the news today:
- Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
- New Lotus Data Wiper Used Against Venezuelan Energy and Utility Firms
- Italian Regulator Fines National Postal Service Organizations $15 Million for Data Privacy Violations
- Unsecured Perforce Servers Expose Sensitive Data From Major Organizations
- NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
- Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023