The SeaFlower campaign has emerged as a sophisticated threat to Web3 users, targeting popular cryptocurrency wallets with meticulously crafted backdoors. These covert operations aim to stealthily extract seed phrases and deplete users’ funds, marking one of the most advanced challenges faced by Web3 security to date.
Targeting Major Cryptocurrency Wallets
The SeaFlower campaign focuses on four widely-used wallets: Coinbase Wallet, MetaMask, TokenPocket, and imToken, affecting both iOS and Android users. The malicious applications are indistinguishable from their genuine counterparts, making it nearly impossible for users to identify any discrepancies during typical cryptocurrency transactions.
Confiant analysts have linked the SeaFlower threat to Chinese-speaking actors, uncovering evidence such as Chinese comments in backdoor codes and developer names linked to Chinese origins. Additionally, the infrastructure supporting these operations traces back to Chinese and Hong Kong IP addresses, with domain names utilizing .cn TLDs.
Deception Tactics and Infrastructure
A significant portion of the SeaFlower campaign’s success stems from its use of Chinese search engines. Users searching for wallet downloads are redirected to websites operated by SeaFlower threat actors. These sites, designed to mimic official download pages, deceive users into downloading trojanized apps.
The backdoor mechanism on iOS begins with downloading a provisioning profile from a fraudulent website, allowing the app to bypass the Apple App Store’s security measures. The Android approach involves injecting malicious code that activates when a seed phrase is saved, sending the data to a command-and-control domain.
Protecting Against SeaFlower and Similar Threats
To safeguard against such threats, users should only download apps from verified sources such as the Apple App Store or Google Play Store. It is crucial to avoid approving unknown provisioning profiles on iOS, which could permit unauthorized software to bypass security protocols.
Developers are encouraged to incorporate defenses against modifications, such as inline hook detection and library injection detection. Monitoring network traffic for unexpected domains can also help identify potential threats.
Conclusion and Recommendations
As the SeaFlower campaign demonstrates, the complexity of threats facing Web3 users continues to evolve. Staying informed about these tactics and adopting robust security practices is essential for protecting digital assets. Regularly verifying app integrity and monitoring network activities can substantially mitigate risks.
For more insights and updates, follow us on Google News, LinkedIn, and X, and set CSN as your preferred source on Google.
