Chinese threat actors go after iOS and Android web3 wallets


Believed to be the most sophisticated actor targeting web3 users, SeaFlower drains funds from Coinbase, MetaMask, TokenPocket, and imToken crypto wallets.

Researchers at Confiant identified the SeaFlower malicious activity cluster in March 2022.

ADVERTISEMENT

Based on uncovered macOS usernames, source code comments, infrastructure, malicious websites hosted in Hong Kong IP address, and the abuse of Alibaba’s Content Delivery Network, researchers presume it has “a strong relationship with a Chinese-speaking entity yet to be uncovered.”

“We believe SeaFlower is the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group,” they said.

The main objective of the extensive SeaFlower campaign is to modify web3 crypto wallets with backdoor code that ultimately exfiltrates the seed phrase, a group of random words generated by a crypto wallet when a user first sets it up.

Confiant observed SeaFlower targeting iOS and Android wallets, namely Coinbase, MetaMask, TokenPocket, and imToken. By cloning official websites, the SeaFlower campaign distributed backdoored wallets.

“Any users lured into downloading SeaFlower backdoored wallets will ultimately lose their funds,” the company said.

Threat actors target users and redirect them to malicious apps through search engines like Baidu.

“What I liked about this cluster of activity is that it is unique, web3 related, and not reported before. It seems there were a lot of efforts on the iOS side of things, for example, setting up provisioning profiles, automatic deployments, sophisticated backdoor code, etc. More work has been done compared to the Android side of things,” Confiant said.

ADVERTISEMENT