Apple's App Store, marketed for years as the safest place on the internet to download an app, just delivered a sharply embarrassing episode for crypto-curious users. Researchers say at least 26 fraudulent apps slipped through review and onto the storefront, every one of them dressed up to look like a legitimate cryptocurrency wallet.
The campaign, dubbed "FakeWallet" by the analysts who flagged it, allegedly impersonates major names including MetaMask, Ledger, Coinbase, Trust Wallet, TokenPocket, imToken and Bitpie. The icons mirror the originals closely enough to fool a quick glance, while names rely on subtle typos (think "LeddgerNew" or stretched spellings) to evade Apple's automated checks. Once installed, the apps either route victims to phishing pages or hook directly into the screen where users type their recovery phrases.
Why the Asia-Pacific Angle Matters
While the bait list reads global, several of the impersonated wallets, including Bitpie, imToken and TokenPocket, have especially deep user bases across China, Hong Kong, Taiwan and Southeast Asia. Security researchers first reported that mainland users were among the earliest targeted, and several variants were configured with Chinese-language phishing flows. That regional skew is not surprising. Self-custody adoption has been climbing fast across Asia, and many users get their wallets through the App Store rather than a desktop browser.
The targeting also underscores a longstanding gap in mobile wallet security culture. Hardware wallet vendors have spent years drilling into customers that seed phrases never go into a phone, ever. The reality is that millions of users do exactly that during onboarding, and a convincing fake interface is enough to drain a wallet in a single tap of "submit."
How the Scam Pulls Off the Theft
Two attack patterns have been observed. In the first, the malicious app launches and immediately redirects the user to a browser page styled to mimic the App Store, prompting them to install a second "real" wallet that is itself trojanized. In the second, the app loads what appears to be the legitimate wallet onboarding flow but inserts a fake verification step demanding the recovery phrase, which is then quietly exfiltrated to an attacker-controlled server.
Either way, the result is the same: the operators capture the master key and drain assets within minutes. Apple Insider reported earlier that one such app alone is alleged by independent researchers to have netted around $9.5 million before being removed. Apple has not confirmed any specific dollar figures.
What Apple Is and Is Not Doing
Apple has pulled most of the identified apps after disclosure. The company has not commented publicly on how the apps cleared review, nor on whether the same developer accounts have been blocked from publishing future updates. For users who installed any of the flagged apps, the only safe assumption is that the seed phrase entered into them is already compromised, and any funds tied to that phrase need to be moved to a new wallet immediately.
The broader picture is uglier than 26 takedowns. App-Store-led trust assumptions are wearing thin in the crypto space, and reviewers seem perpetually one move behind the people building these clones. Until that changes, the safest install path remains the one that crypto veterans have been preaching for a decade: download from the wallet provider's own website, verify the developer signature, and never type a seed phrase into anything that asked for it first.
---------------
Author: Seta Tsuruki
Asia Newsroom
