Suspected Chinese hackers have launched the novel SeaFlower campaign that involves spoofing legitimate cryptocurrency applications on Android and iOS in an effort to facilitate seed phrase theft, SecurityWeek
Backdoored versions of Coinbase Wallet, imToken, MetaMask Wallet, and TokenPocket have been developed by attackers to maintain the originals' functionality while stealing user seed phrases, which could be used in cryptocurrency theft
, a Confiant report revealed. Search engine poisoning has been used to lure victims into downloading the apps on websites created by the attackers, according to researchers, who also noted SeaFlower's limited to no overlap in infrastructure, as well as coordination and technical capabilities. SeaFlower has been attributed to Chinese hackers due to the presence of Chinese usernames, source code comments, and infrastructure, as well as the exploitation of Chinese search engines.
"There are some notable challenges when it comes to SeaFlower attribution, for example figuring out if the provisioning servers are run by the same group, and also identifying more initial vectors of the attack beside the Chinese search engines. All these are difficult challenges due to the geographical and language barrier aspects," Confiant said.