More than two dozen malicious cryptocurrency applications have been discovered on Apple’s App Store, posing as legitimate wallet services to steal sensitive user data, according to cybersecurity researchers at Kaspersky.
The campaign, referred to as “FakeWallet,” has reportedly been active since at least late 2025 and is designed to extract critical information such as recovery phrases and private keys—allowing attackers to gain full control over users’ crypto assets.
Researchers identified at least 26 fraudulent apps that closely imitate well-known cryptocurrency wallets, including services like Coinbase, MetaMask, Ledger, Trust Wallet, and others. These apps use techniques such as typosquatting—slight variations in names and branding—to deceive users into believing they are downloading legitimate applications.
In some cases, the apps did not directly appear as crypto wallets but instead displayed prompts or banners encouraging users to install them to access “official” wallet services that were unavailable in certain regions. This approach was particularly effective in markets like China, where restrictions on some crypto apps have created opportunities for impersonation attacks.
Further analysis revealed that some of these applications were linked to phishing infrastructure, including fake websites mimicking official wallet providers. These sites were used to distribute malicious versions of apps or redirect users to credential-harvesting pages.
Kaspersky also noted that several related apps identified in the campaign did not yet display malicious behavior, suggesting that harmful features could be activated later through updates. “It’s highly likely that the malicious features were simply waiting to be toggled on in a future update,” the researchers stated.
