The assumption that official app stores like Apple’s are inherently secure has long been one of the core pillars of modern digital trust. Especially in the sensitive world of finance and cryptocurrency, millions of users rely on the idea that apps listed there have passed at least a baseline level of security scrutiny. However, a recent campaign has once again shattered that belief — and in a way that clearly demonstrates how advanced and strategic cybercriminal operations have become.
At Darkgate, we have frequently reported on fraud schemes in the finance and crypto space — from classic phishing campaigns and social engineering tactics to sophisticated attacks targeting wallet infrastructures. This latest case fits perfectly into that broader pattern, but elevates the threat to an entirely new level: the abuse of Apple’s App Store itself as an entry point for large-scale crypto theft.
At the center of the campaign are 26 malicious apps that successfully made their way into Apple’s App Store. These apps impersonated well-known and trusted crypto wallets, including MetaMask, Coinbase, Trust Wallet, and OneKey. At first glance, there was little to distinguish them from legitimate applications. Branding, logos, and naming conventions were carefully crafted to mirror the originals so closely that even experienced users could easily be misled.
The attackers demonstrated a high level of strategic thinking. Because many crypto-related apps face restrictions in China, the malicious applications were disguised as harmless tools such as games or calculator apps. For users, this created a sense of plausibility — as if they had discovered a workaround to bypass local restrictions. This highlights a critical aspect of modern cyberattacks: the exploitation of user expectations and behavioral patterns, not just technical vulnerabilities.However, the real attack began only after installation. Once opened, the apps redirected users to highly convincing phishing websites designed to mimic official crypto service portals, including hardware wallet providers like Ledger. These pages guided victims through seemingly legitimate processes, such as downloading additional components or verifying their wallets.
A particularly dangerous element of the campaign is the abuse of iOS provisioning profiles. This is a legitimate Apple feature intended for enterprises to distribute internal applications outside of the App Store. In this case, it was weaponized to sideload malicious wallet apps directly onto victims’ devices, effectively bypassing traditional App Store security controls.Once installed, these trojanized applications targeted the most critical asset in any crypto environment: the seed phrase. This recovery phrase is essentially the master key to a wallet. Anyone who possesses it can restore the wallet on another device — without needing passwords, two-factor authentication, or any additional verification.
This is exactly where the attack strikes. The apps were designed to intercept seed phrases during wallet setup or recovery processes. The captured data was then encrypted — using methods such as RSA and Base64 — and transmitted to the attackers. For victims, this results in a complete loss of control over their assets.Even more concerning is the use of psychological manipulation, particularly in cases involving hardware wallets like Ledger. Victims were prompted within the app to manually enter their seed phrases under the pretense of security verification or recovery. This represents a modern evolution of phishing — one that relies less on exploiting software flaws and more on manipulating human trust.
Security researchers at Kaspersky have attributed the campaign to a broader operation named “FakeWallet,” with links to an ongoing campaign known as “SparkKitty,” active since last year. This indicates that the attack is not an isolated incident, but part of a sustained and well-organized effort.Although the campaign primarily targeted users in China, there are no technical limitations preventing a global expansion. The techniques used are universally applicable and could easily be deployed in other regions at any time.
Apple has since removed the malicious apps following responsible disclosure. However, a critical question remains: how were these apps able to pass Apple’s App Store review process in the first place? This is where the real significance of the incident lies. If even tightly controlled ecosystems can be infiltrated, the entire trust model begins to shift.For users, this leads to an uncomfortable but necessary conclusion: trust alone is no longer sufficient. Even official platforms must be approached with caution, particularly when financial assets are involved. The recommendation to rely only on links provided via official websites of wallet providers has become more important than ever.
This case also highlights how cybercrime has evolved. It is no longer about isolated malware or standalone phishing attempts. Instead, we are witnessing complex attack chains that combine multiple layers: App Store infiltration, social engineering, abuse of legitimate system features, and targeted data exfiltration.For security vendors — from traditional firewall providers to advanced cloud and endpoint protection platforms — this represents the new reality. The boundaries between infrastructure, application, and user behavior are increasingly blurred. As a result, defense strategies must become more holistic and adaptive.
Ultimately, the key takeaway is clear: the weakest point is no longer the technology itself, but the intersection between trust and control. That is precisely where modern attackers operate — with precision, scalability, and often invisibly until the damage is already done.The Apple App Store has long been seen as a symbol of security. This incident demonstrates that even closed ecosystems are not immune. Moving forward, it demands a shift in mindset: more skepticism, more transparency, and a significantly higher level of awareness regarding the mechanisms behind digital attacks.
