Researchers uncovered FakeWallet, a phishing campaign that used more than 20 fake crypto wallet apps to steal users’ recovery phrases and private keys through trojanized App Store pages. Analysis of network and historical infrastructure showed the operation had been active since at least fall 2025 and involved domains such as crypto-stroe[.]cc, gxzhrc[.]cn, and jhxrpbgq[.]com. #FakeWallet #crypto-stroe[.]cc #gxzhrc[.]cn #jhxrpbgq[.]com
Keypoints
- More than 20 phishing apps were found masquerading as popular crypto wallets.
- Victims were redirected to fake App Store pages hosting trojanized versions of legitimate apps.
- The FakeWallet apps hijacked recovery phrases and private keys from affected users.
- Metadata indicates the campaign has likely been running since at least fall 2025.
- Researchers identified 28 network IoCs, including 12 subdomains, 15 domains, and one IP address.
- Investigation revealed malicious infrastructure activity such as bulk-registered look-alike domains and domains flagged for malware distribution.
- Historical and threat-intelligence analysis linked multiple additional domains, IPs, and email-connected domains to malicious campaigns.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The campaign used phishing apps disguised as crypto wallets to lure victims into installing trojanized software [‘More than 20 phishing apps masquerading as popular crypto wallets’]
- [T1036] Masquerading – The malicious apps impersonated legitimate wallet applications and a fake App Store presence to appear trustworthy [‘masquerading as popular crypto wallets’; ‘fake App Store pages where trojanized versions of the legitimate apps were hosted’]
- [T1204] User Execution – Victims had to click the lure and download the app for the payload to be installed [‘when clicked, they redirected users to fake App Store pages’; ‘If downloaded, the malicious apps’]
- [T1552.004] Private Keys – The app stole private keys from infected users [‘hijacked affected users’ recovery phrases and private keys’]
- [T1552.003] Credentials from Password Stores – The app stole recovery phrases, which function as sensitive wallet credentials [‘hijacked affected users’ recovery phrases’]
- [T1090] Proxy – The infrastructure used Cloudflare IP addresses that were difficult to block without disrupting legitimate traffic [‘its Cloudflare IP addresses are hard to block without affecting legitimate traffic’]
- [T1095] Non-Application Layer Protocol – The investigation observed DNS-based communications and historical domain-to-IP/IP-to-domain resolutions [‘seven DNS queries’; ‘114 historical IP-to-domain resolutions’; ‘258 historical domain-to-IP resolutions’]
Indicators of Compromise
- [Domains/Subdomains] FakeWallet infrastructure and look-alike sites – crypto-stroe[.]cc, gxzhrc[.]cn, jhxrpbgq[.]com, and 2 more look-alikes
- [Subdomains] Malicious or suspicious endpoints used in the campaign – 6688cf[.]jhxrpbgq[.]com, mgi1y[.]siyangoil[.]com, and 10 more subdomains
- [IP address] Sole IP infrastructure used in the analysis – one IP in Singapore under The Constant Company; also 18 additional IP addresses were found, 8 confirmed malicious
- [Email-connected domains] Domains registered using historical WHOIS email addresses and later weaponized – bitpiecn[.]com[.]cn, meta-mask[.]org[.]cn, and 10,810 more domains
- [DNS resolutions] Historical domain-to-IP activity linked to the campaign – iosfc[.]com, siyangoil[.]com, and 10 more domains with resolution history
- [WHOIS/email artifacts] Public WHOIS email addresses tied to domain registration – 19 unique email addresses, including 7 public addresses used to register the email-connected domains
Read more: https://circleid.com/posts/dns-deep-diving-into-fakewallet-crypto-stealer