A hacking group out of China has been identified using a rather low-tech yet effective way to steal money from Web3 wallets: distributing altered versions that have holes programmed into them. The Chinese hackers cloned the distribution sites of legitimate wallets, tricking users into downloading a compromised version.
Researchers with digital advertising security firm Confiant spotted and tracked the threat actor’s activity, and characterizes it as a “highly sophisticated” operation. The Chinese hackers are primarily targeting searches for a specific group of Web3 wallets and are focused on iOS and Android users.
Chinese hackers post clones of wallets, presentation and code “identical” (other than backdoors)
The Chinese hackers are having success with this approach primarily due to attention to detail, both in cloning the official websites of the Web3 wallets and the actual wallet code. The only difference from the legitimate download process and user experience is the insertion of backdoor code that allows them to drain funds from the victim.
Given the moniker “SeaFlower” by Confiant, the group’s identity is still unclear but there are many clues placing them in China. Chinese MacOS usernames have been associated with the group’s activity, the backdoor code contains some commentary in Chinese, certain frameworks used are common in the Chinese hacking community and originate from Chinese coders, and various elements of the attack infrastructure are associated with mainland China and Hong Kong IP addresses. The group also uses attack sites that are primarily in Chinese and English, and also heavily focuses on baiting traffic from Chinese search engines.
The Chinese hackers are currently targeting four types of Web3 wallets: Coinbase Wallet, imToken, MetaMask and Token Pocket. The attackers target both the iOS and Android versions of these wallets. The Confiant researchers stress that the legitimate versions of these wallets are perfectly safe and do not have a vulnerability in them; The trick is in avoiding the tainted downloads when using search engines to find them.
The code that the Chinese hackers added to their bogus versions of the Web3 wallets uses several different escalating techniques to extract the user’s seed phrase, the recovery phrase needed for access to it if the physical version is lost. Different approaches are used for different Web3 wallets, but the malicious code tends to grab the seed phrase right after the user enters it during wallet setup.
The scam was uncovered by decrypting and monitoring HTTPS traffic from the apps while they were in use; they can be observed connecting to spoofed versions of legitimate domains associated with each wallet, usually with some minor altered spelling of the legitimate name (such as “metanask” instead of metamask). The seed phrase, wallet number and balance are smuggled out during these communications.
Official download sites of Web3 wallets cloned “perfectly”
While the backdoor element is necessary, the thing that really makes the attack work are the identical clones of the legitimate download sites.
The URLs are the only element that are not always carefully cloned, but they generally bear some relationship to the legitimate Web3 wallets (such as “appim.xyz” for imToken and “som-coinbase.com” for Coinbase Wallet). The attackers also appear to be using search engine optimization techniques to get listed high in the rankings in certain results, particularly with Baidu (where the attack sites sometimes crack the top 10 results for certain common search phrases related to downloading the apps).
The attack requires sideloading, something much more common (and easy to do) with Android. The Chinese hackers seem to have put much more work into getting access to the more protected iOS users. This includes provisioning profiles (which have since been reported to and delisted by Apple). The researchers also note that the malicious iOS code was buried much deeper and better obscured than the elements found in the Android app versions.
This attack on Web3 wallets is part of a broader trend of criminal hacker activity focusing on crypto transactions. Attempting to hack or cajole the seed phrase out of a target seems to be the most popular method, and phishing kits tailored to lower-skilled attackers have been appearing on underground markets in recent months.
Chris Olson, of The Media Trust, notes that cyber defenses are not necessarily keeping up with this development: “Cryptocurrency is rapidly becoming a battlefield for global cyber actors who target crypto owners through multiple channels. While many are waking up to the danger of email-based phishing scams, few are prepared for SEO and web-based attacks that target Internet traffic and mobile users. Aside from encouraging caution among NFT and crypto users, this incident has three implications: first, web and mobile devices are growing as threat surfaces – second, foreign actors can leverage those surfaces to target users around the world. Finally, Web3 may be vulnerable to the same threats that have made Web 2.0 unsafe for years, unless early adopters of the technology commit to minimum standards of digital safety and trust.”
All of the apps that were abused in this attack remain safe to download from their official sources and use. However, given the ability of the attackers to poison search results, enhanced caution in identifying these download sites is highly advised. Bitcoin.com maintains a list of wallets with direct links to their authentic sites, and many of these wallets are also listed on the official Apple and Android app stores and can be found via a direct search there. If a web browser search must be run for some particular wallet, it may be wise to run the URL that appears through a secondary search to ensure it actually belongs to the legitimate company.
