Fake Apple Crypto Wallet Apps Steal Seed Phrases – 26 Apps Detected

Cybersecurity researchers at CleverSight Threat Intelligence have uncovered a cluster of 26 malicious iOS applications that masquerade as popular cryptocurrency wallets such as Trust Wallet, MetaMask, and Exodus. The rogue apps, uploaded to the Apple App Store between early February and mid‑March 2026, employed a trojanized version of the official wallet SDK that introduced a covert function called collectSeed(). When a user entered their 24‑word recovery phrase, collectSeed() captured the input, base64‑encoded it, and transmitted the payload over a TLS 1.3‑encrypted channel to a command‑and‑control (C2) server hosted in a Baltic‑based cloud provider. According to the researchers, the apps were downloaded approximately 12 500 times before Apple removed them on March 19, after a coordinated disclosure.

The campaign, dubbed SeedSnatch by the CleverSight team, abused Apple’s enterprise distribution certificates and sidestepped the App Store’s review process by presenting benign UI screens during automated checks. Once approved, the apps dynamically fetched a malicious payload from a remote JSON configuration file, allowing the operators to update C2 endpoints without resubmitting the software. The malware also registered a background service that monitored the device for any new wallet installations, further increasing its persistence and exfiltration capabilities.

In addition to seed‑phrase theft, the rogue apps prompted users to enable iCloud backup under the guise of “secure seed phrase storage.” This request enabled the trojan to exfiltrate not only the recovery phrase but also transaction histories, contact lists, and any other data included in the iCloud backup. The C2 infrastructure leveraged domain fronting through a widely used content‑delivery network to obscure the true destination of the stolen credentials, while DNS‑over‑HTTPS queries hid the DNS resolution process from network monitors.

Security experts recommend that cryptocurrency users never enter their seed phrases into any mobile application, even those hosted on official app stores. Users should rely on hardware wallets for key management, verify the publisher’s certificate fingerprint before installation, and enable two‑factor authentication on their Apple IDs. The SeedSnatch incident underscores the need for stricter vetting of financial‑related apps and highlights the ongoing risk of supply‑chain attacks targeting the rapidly expanding digital‑asset ecosystem.