"Web3 Wallets Targeted by Chinese Hackers; 'SeaFlower' Using Cloned Websites to Trick Crypto Traders"
A Chinese hacking group has been observed using a low-tech but effective method to steal money from Web3 wallets, which involves distributing altered versions with holes programmed into them. The hackers cloned legitimate wallet distribution sites, tricking users into downloading a compromised version. Confiant researchers discovered and tracked the threat actor's activity, which they describe as a "highly sophisticated" operation. The Chinese hackers primarily target searches for a specific group of Web3 wallets and focus on iOS and Android users. Their success with this approach is mainly due to their attention to detail in cloning the official websites of the Web3 wallets and the wallet code itself. The only difference from the legitimate download process and user experience is the addition of backdoor code that enables them to drain funds from the victim. Confiant dubbed the group "SeaFlower," but their identity remains unknown. However, numerous clues point to China, with Chinese MacOS usernames linked to the group's activity and the backdoor code containing some Chinese commentary. In addition, some frameworks used are common in the Chinese hacking community and originated from Chinese coders. Currently, the hackers are targeting four types of Web3 wallets: Coinbase Wallet, imToken, MetaMask, and Token Pocket. Both the iOS and Android versions of these wallets are targeted by the attackers. The Confiant researchers emphasize that the legitimate versions of these wallets are completely safe and do not contain any vulnerabilities, with the trick being to avoid tainted downloads when looking for them using search engines. This article continues to discuss findings regarding the targeting of Web3 wallets by the SeaFlower hacking group.