Web3 wallets targeted by Chinese hackers; ‘SeaFlower’ uses cloned websites to trick crypto traders


A hacking group outside of China has been identified using a rather simple but effective way to steal money from Web3 wallets: distributing modified versions that contain programmed holes. Chinese hackers have cloned legitimate wallet distribution sites, tricking users into downloading a compromised version.

Researchers from digital advertising security firm Confiant spotted and tracked the threat actor’s activity and called it a “very sophisticated” operation. Chinese hackers mainly target searches of a specific group of Web3 wallets and focus on iOS and Android users.

Chinese hackers post “identical” clones of wallets, presentation and code (other than backdoors)

Chinese hackers are successful with this approach mainly because of the attention to detail, both in cloning official Web3 wallet websites and the actual wallet code. The only difference with the legitimate download process and user experience is the insertion of a backdoor code that allows them to drain funds from the victim.

Given the nickname “SeaFlower” by Confident, the identity of the group is still unclear but there are many clues placing them in China. Chinese MacOS usernames have been associated with the group’s activity, the backdoor code contains comments in Chinese, some frameworks used are common in the Chinese hacking community and come from Chinese coders, and various elements of attack infrastructure are associated with mainland China and Hong Kong. Kong IP addresses. The group also uses attack sites that are mainly in Chinese and English, and also focuses heavily on bait traffic from Chinese search engines.

Chinese hackers are currently targeting four types of Web3 wallets: Coinbase Wallet, imToken, MetaMask, and Token Pocket. Attackers target both iOS and Android versions of these wallets. Trusted researchers point out that legitimate versions of these wallets are completely safe and do not contain any vulnerabilities; the trick is to avoid contaminated downloads when using search engines to find them.

The code the Chinese hackers added to their fake versions of Web3 wallets uses several different escalation techniques to extract the user’s seed phrase, the recovery phrase needed to gain access if the physical version is lost. Different approaches are used for different Web3 wallets, but malicious code tends to grab the seed phrase right after the user enters it during wallet setup.

The scam was discovered by decrypting and monitoring the HTTPS traffic of applications while they are in use; they can be observed logging into spoofed versions of legitimate domains associated with each wallet, usually with a slightly altered spelling of the legitimate name (such as “metanask” instead of metamask). The seed phrase, wallet number and balance are smuggled in these communications.

Official sites for downloading “perfectly” cloned Web3 wallets

Although the backdoor element is necessary, what really makes the attack work are the identical clones of legitimate download sites.

URLs are the only thing that is not always carefully cloned, but they usually have some relation to legitimate Web3 wallets (such as “appim.xyz” for imToken and “som-coinbase.com” for Coinbase Wallet). Attackers also appear to be using search engine optimization techniques to rank high in some results, especially with Baidu (where attacking sites sometimes break the top 10 results for some common download-related search phrases apps).

The attack requires sideloading, something much more common (and easy to do) with Android. Chinese hackers seem to have put a lot more effort into gaining access to the most protected iOS users. This includes provisioning profiles (which have since been flagged and delisted by Apple). The researchers also note that the malicious iOS code was buried much deeper and better obfuscated than items found in Android app releases.

This attack on Web3 wallets is part of a larger trend of criminal hacker activity focusing on crypto transactions. Attempting to hack or coax a target’s seed phrase seems to be the most popular method, and phishing kits suitable for low-skilled attackers have appeared on the underground markets in recent months.

Chris Olson of The Media Trust notes that cyber defenses do not necessarily follow this evolution: “Cryptocurrency is rapidly becoming a battleground for global cyber actors targeting crypto owners through multiple channels. While many are aware of the danger of phishing email scams, few are prepared for SEO and web attacks that target internet traffic and mobile users. In addition to encouraging caution among NFT and crypto users, this incident has three implications: first, web and mobile devices are developing as threat surfaces – second, foreign actors can leverage these surfaces to target users around the world. Finally, Web3 may be vulnerable to the same threats that have made Web 2.0 dangerous for years, unless early adopters of the technology commit to minimum standards of digital security and trust.

The attack on #Web3 wallets is part of a larger trend of #cybercriminal activity focused on #crypto transactions. Attempting to hack or cajole a target’s seed phrase seems to be the most popular method. #cybersecurity #respectdataClick to tweet

All apps that were abused in this attack are safe to download from their official sources and use. However, given the ability of attackers to poison search results, greater caution in identifying such download sites is highly recommended. Bitcoin.com maintains a list of wallets with direct links to their genuine sites, and many of these wallets are also listed on the official Apple and Android app stores and can be found via a direct search there. If a web browser search needs to be run for a particular wallet, it might be a good idea to run the URL that appears through a secondary search to ensure that it actually belongs to the legitimate business.


Comments are closed.