FakeWallet is a campaign that published over two dozen fake cryptocurrency apps to the Apple App Store to harvest users’ recovery phrases and private keys. Kaspersky links the apps to the SparkKitty toolkit, noting they typosquat major wallets and use browser-based phishing and Ledger-targeting implants to distribute infected wallet versions. #FakeWallet #SparkKitty
Keypoints
- Over two dozen fake cryptocurrency applications targeting iOS users were published to the Apple App Store.
- The FakeWallet campaign has operated since at least fall 2025 and aims to steal recovery phrases and private keys.
- Threat actors typosquatted names and icons of major wallets like Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet to trick users.
- Malicious apps used browser-based phishing, injected libraries, and Ledger implants to deliver infected wallet versions and harvest seed phrases.
- Kaspersky links the campaign to SparkKitty, Apple has started removing the apps, and the malicious modules could target users outside China.
Read More: https://www.securityweek.com/dozens-of-malicious-crypto-apps-land-in-apple-app-store/