Cybersecurity firm Kaspersky has identified 26 fraudulent cryptocurrency wallet applications on Apple’s App Store designed to steal users’ digital assets.

The Threat Research team at Kaspersky discovered that these apps mimic well-known crypto wallets like MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie by copying their names and branding to seem legitimate. Once users open these apps, they redirect to phishing sites that resemble the App Store interface, urging downloads of a secondary application—a trojanized wallet capable of draining digital funds.

How The Scam Operates

Kaspersky reported that this scheme has been in operation since at least Fall 2025 and is moderately suspected to be linked to the threat actors behind SparkKitty, a previously identified iOS malware strain. While the genuine versions of these wallet apps are not available in China’s iOS App Store, the phishing applications were primarily directed at users in China. However, the malicious software has no regional restrictions, meaning users outside of China could also be affected. Kaspersky has informed Apple of all identified malicious apps.

The fraudulent apps often include features unrelated to cryptocurrency, such as games and calculators to appear legitimate and pass initial scrutiny. After installation, they guide users to a phony App Store page that encourages the download of what seems to be the true wallet application.

This installation process mimics that of SparkKitty, utilizing Apple’s enterprise developer tools to distribute apps corporately. Users are asked to install a developer profile, allowing them to download apps outside the App Store—a step that attackers depend on users to overlook, facilitating malware installation.

Once installed, the trojanized wallets replicate the functionality of the wallets they impersonate, targeting both hot and cold wallets. Sergey Puzan, Kaspersky’s mobile malware expert, expressed that while the apps themselves might not be overtly harmful, they are entry points in a larger attack strategy that ultimately leads to malware installation.

Warning

“By paying a fee and setting up a developer account, the attackers can target any iOS device if the user falls for the phishing approach. Users should be cautious about the risks associated with managing their crypto wallets, even on devices like iPhones that they consider secure. We anticipate that more trojanized crypto applications may be distributed using similar tactics.”

Counterfeit Ledger Device

This report comes just days after the discovery of a counterfeit Ledger Nano S Plus device sold via an online marketplace, exposed as part of a sophisticated phishing scheme designed to capture crypto wallet credentials, revealed by a Brazilian cybersecurity researcher. Though marketed as an official product, it failed verification upon connection to Ledger Live.

Takeaway: The researcher found that the fake device contained components misrepresenting authentic hardware, such as a chip with removed markings and unauthorized WiFi and Bluetooth antennas.