This March, researchers uncovered more than 20 phishing apps masquerading as popular crypto wallets. But when clicked, they redirected users to fake App Store pages where trojanized versions of the legitimate apps were hosted. If downloaded, the malicious apps dubbed “FakeWallet” hijacked affected users’ recovery phrases and private keys. Worse, FakeWallet metadata suggests the campaign has been going on since at least fall 2025.

SecureList publicized 24 network IoCs comprising subdomains, domains, and an IP address in their FakeWallet analysis. We extracted unique domains from the subdomain IoCs they listed and determined if any of them belonged to legitimate organizations using the WhoisXML API MCP Server. We…