Cybersecurity firm Kaspersky has flagged 26 fake crypto wallet apps on the Apple App Store that were designed to steal recovery phrases and private keys, putting users’ digital assets at direct risk of theft.
The findings, published in March 2026, revealed a coordinated phishing campaign dubbed “FakeWallet” that impersonated major wallet brands including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The apps passed Apple’s review process and appeared alongside legitimate listings in the App Store.
Kaspersky Found 26 Phishing Apps Mimicking Top Wallet Brands
Kaspersky researcher Sergey Puzan detailed the campaign in a forensic report on Securelist, identifying 26 phishing apps that copied the branding, icons, and interface patterns of widely used crypto wallets. The apps were concentrated in the Chinese App Store, where many official wallet apps are unavailable for users with China-region Apple IDs.
That distribution gap gave scammers a ready-made audience. Users searching for wallets like MetaMask or Trust Wallet in that region had limited access to verified versions, making the fakes harder to distinguish from real products.
The scale of the campaign suggests organized effort rather than isolated scam attempts. With seven major wallet brands targeted across 26 apps, the attackers built a broad net designed to capture credentials from multiple user segments in the crypto ecosystem.
How the Apps Reached the Store
The fake apps reportedly passed Apple’s review process by disguising their malicious functionality. Several of the listings mimicked legitimate App Store pages closely enough to avoid immediate detection by both automated scans and manual reviewers.
Apple’s own data shows the platform removed nearly 9,500 deceptive apps from App Store search results in 2024 and rejected over 320,000 app submissions for spam, copycats, or misleading users. Despite those numbers, the FakeWallet campaign still slipped through.
Seed Phrase Theft Was the Primary Attack Vector
Once installed, the fake apps redirected victims to phishing pages or trojanized wallet onboarding flows. The core attack targeted recovery phrases and private keys, the credentials that grant full control over a crypto wallet and its contents.
Victims were prompted to enter their seed phrases during what appeared to be a standard wallet setup or restoration process. The captured credentials were then exfiltrated to command-and-control infrastructure controlled by the attackers.
MetaMask’s own safety documentation reinforces why this was a red flag. The wallet provider states that “MetaMask does not need you to routinely enter your Secret Recovery Phrase,” making any app that requests it during normal use a likely phishing attempt.
“We’ve reported all of these findings to Apple, and several of the malicious apps have already been pulled from the store.”
— Sergey Puzan, Kaspersky (Securelist)
Red Flags in the Fake Listings
Several indicators could have alerted careful users. The phishing apps often had recent upload dates, few or suspicious reviews, and developer names that did not match the official wallet providers. Some redirected users to external pages styled to look like the App Store itself.
Any wallet app that asks for a seed phrase outside of an initial wallet import flow should be treated as suspect. Legitimate wallets generate seed phrases during setup but rarely request them again afterward. As concerns about digital asset security grow, users may want to understand how broader regulatory efforts like the North Carolina Digital Asset and Stablecoin Act could shape platform accountability standards.
Apple Removed 25 of 26 Apps Before the Report Went Public
BleepingComputer reported that Apple removed 25 of the 26 flagged apps before Kaspersky published its findings. The last remaining app was subsequently removed, and the associated developer account was terminated.
The speed of Apple’s response suggests its trust-and-safety team acted on Kaspersky’s report before publication. Still, the incident raises questions about how 26 coordinated phishing apps cleared the review process in the first place.
Apple has previously cited its fraud prevention track record, noting it prevented over $9 billion in fraudulent App Store transactions over five years. The FakeWallet campaign shows that even aggressive fraud detection leaves gaps when attackers target niche categories with limited official app availability.
For crypto holders who rely on mobile wallets, the incident is a reminder to verify downloads through official channels. Users should navigate directly to a wallet provider’s website to find verified App Store links rather than searching the store directly. Checking the developer name, download count, and review history before installing any wallet app reduces exposure to copycat listings.
The crypto mining sector faces its own set of trust and verification challenges. Companies like American Bitcoin and TeraWulf operate in a space where distinguishing legitimate operations from fraudulent ones requires similar diligence from investors.
The Fear and Greed Index currently sits at 33, reflecting a broader climate of caution in crypto markets. Against that backdrop, security incidents involving trusted platforms like the App Store amplify the case for verifying every tool in the digital asset chain, from the wallet app on a phone to the exchange holding funds.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.