Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FakeWallet crypto wallet phishing campaign targeting users in China

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

The FakeWallet campaign is actively distributing 26 malicious apps that impersonate crypto wallets and steal seed phrases, putting users in China at immediate risk of wallet takeover and asset theft. The operation uses fake branding and typosquatting to lure victims into downloading app-store listings disguised as games or calculator apps. Those lures redirect users to phishing pages and then to trojanized wallet installs. The same tradecraft is associated with SparkKitty, which has been running since last year.

Related Happenings

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria

Campaign
First: 11.05.2026 18:15 Last: 11.05.2026 18:15 Sources 1

About this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....

Open Happening

TrickMo Android banking malware adds TON-based covert command-and-control

Malware Activity
First: 11.05.2026 12:03 Last: 11.05.2026 12:03 Sources 1

About this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...

Open Happening

Sqgame[.]net gaming platform hit by network compromise

Incident
First: 05.05.2026 18:00 Last: 05.05.2026 18:00 Sources 1

About this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...

Open Happening

ScarCruft sqgame[.]net supply-chain espionage campaign

Campaign
First: 05.05.2026 12:07 Last: 05.05.2026 12:07 Sources 1

About this happening: **ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...

Open Happening

Timeline

  1. 24.04.2026 14:48 1 articles · 1mo ago

    FakeWallet linked to SparkKitty operators

    Attribution Update

    Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.

    Show sources
    Open in new tab
  2. 21.04.2026 00:52 1 articles · 1mo ago

    Kaspersky identifies FakeWallet crypto wallet phishing campaign

    Initial Disclosure

    Kaspersky identified FakeWallet, a campaign of 26 malicious apps in the Apple App Store that impersonated Metamask, Coinbase, Trust Wallet, and OneKey to steal recovery or seed phrases and drain cryptocurrency assets. The apps targeted users in China, used typosquatting and fake branding, redirected victims to phishing pages, and abused iOS provisioning profiles to sideload trojanized wallet apps; Apple removed all 26 apps after Kaspersky’s responsible disclosure.

    Show sources
    Open in new tab