SeaFlower: A Highly Sophisticated Web3 Wallet Hack Targeting Cryptocurrency Users
A newly uncovered cyber threat campaign, SeaFlower (藏海花), has been targeting users of popular Web3 cryptocurrency wallets with advanced backdoor attacks designed to steal seed phrases and drain funds. Discovered by Confiant analysts, this operation is among the most technically sophisticated threats to Web3 users documented to date, leveraging reverse engineering, app cloning, and covert data exfiltration.
Targets and Tactics
SeaFlower focuses on four major wallets Coinbase Wallet, MetaMask, TokenPocket, and imToken across iOS and Android. The malicious apps are pixel-perfect replicas of legitimate versions, making detection nearly impossible for users. The campaign’s infrastructure, including domains registered under .cn TLDs and Alibaba CDN abuse, points to Chinese-speaking threat actors, with source code comments, developer usernames, and modding frameworks tied to the region.
Victims are lured through cloned download sites promoted via Chinese search engines like Baidu, Sogou, 360 Search, and Shenma. These fake sites mimic official wallet pages, complete with fabricated ratings and download counts, tricking users into installing trojanized apps.
How the Backdoor Works
Once installed, the backdoored wallets function normally while silently executing malicious code:
-
iOS: The attack begins with a provisioning profile download, allowing the app to bypass Apple’s App Store security. An injected .dylib file hooks into the app’s runtime using tools like Cydia Substrate and MonkeyDev, intercepting the dataWithContentsOfFile:options:error function when MetaMask loads its JavaScript bundle. An obfuscated class (FKKKSDFDFFADS) decrypts an RSA-encrypted payload, exfiltrating seed phrases, wallet addresses, and balances to attacker-controlled domains (e.g., trx.lnfura[.]org, mimicking Infura).
-
Android: For Coinbase Wallet, malicious smali code in a class named XMPMetadata triggers an HTTP POST request when a seed phrase is saved, sending data to colnbase[.]homes/u/sms/.
Attribution and Impact
The campaign’s name derives from a leaked macOS username (“Zhang Haike”), referencing a character in the Chinese novel Tibetan Sea Flower. Additional usernames (“lanyu” and “trader”) further link the operation to a single threat actor. The attack’s sophistication combining app modding, automated deployment, and stealthy exfiltration highlights a significant escalation in Web3-targeted threats.
With no visible red flags during normal use, SeaFlower represents a high-risk threat to cryptocurrency users, particularly those relying on third-party download sources. The campaign underscores the growing complexity of attacks against decentralized finance (DeFi) platforms.
Source: https://cybersecuritynews.com/sophisticated-seaflower-backdoor-campaign-targets-web3-wallets/
MetaMask cybersecurity rating report: https://www.rankiteo.com/company/metamask
imToken cybersecurity rating report: https://www.rankiteo.com/company/imtoken
Coinbase cybersecurity rating report: https://www.rankiteo.com/company/coinbase
TokenPocket cybersecurity rating report: https://www.rankiteo.com/company/tokenpocket
"id": "METIMTCOITOK1772124856",
"linkid": "metamask, imtoken, coinbase, tokenpocket",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users who downloaded trojanized '
'versions',
'industry': 'FinTech, Cryptocurrency',
'location': 'Global',
'name': 'Coinbase Wallet',
'type': 'Cryptocurrency Wallet'},
{'customers_affected': 'Users who downloaded trojanized '
'versions',
'industry': 'FinTech, Cryptocurrency',
'location': 'Global',
'name': 'MetaMask',
'type': 'Cryptocurrency Wallet'},
{'customers_affected': 'Users who downloaded trojanized '
'versions',
'industry': 'FinTech, Cryptocurrency',
'location': 'Global',
'name': 'TokenPocket',
'type': 'Cryptocurrency Wallet'},
{'customers_affected': 'Users who downloaded trojanized '
'versions',
'industry': 'FinTech, Cryptocurrency',
'location': 'Global',
'name': 'imToken',
'type': 'Cryptocurrency Wallet'}],
'attack_vector': 'Cloned download sites, Trojanized apps, Malicious '
'provisioning profiles, Injected .dylib files (iOS), '
'Malicious smali code (Android)',
'customer_advisories': 'Users should immediately uninstall any suspicious '
'wallet apps and transfer funds to a secure wallet.',
'data_breach': {'data_encryption': 'RSA-encrypted payloads for exfiltration',
'data_exfiltration': 'Yes (to attacker-controlled domains '
'like trx.lnfura[.]org and '
'colnbase[.]homes)',
'personally_identifiable_information': 'Seed phrases, wallet '
'addresses',
'sensitivity_of_data': 'High (cryptocurrency access '
'credentials)',
'type_of_data_compromised': ['Seed phrases',
'Wallet addresses',
'Balances',
'Personally identifiable '
'information (PII)']},
'description': 'A newly uncovered cyber threat campaign, SeaFlower (藏海花), has '
'been targeting users of popular Web3 cryptocurrency wallets '
'with advanced backdoor attacks designed to steal seed phrases '
'and drain funds. The campaign leverages reverse engineering, '
'app cloning, and covert data exfiltration, making it one of '
'the most technically sophisticated threats to Web3 users '
'documented to date.',
'impact': {'brand_reputation_impact': 'High (due to sophisticated and '
'stealthy nature of the attack)',
'data_compromised': 'Seed phrases, wallet addresses, balances, '
'personally identifiable information (PII)',
'financial_loss': 'Funds drained from cryptocurrency wallets',
'identity_theft_risk': 'High (seed phrases and wallet data stolen)',
'operational_impact': 'Loss of trust in Web3 wallets, potential '
'long-term reputational damage to wallet '
'providers',
'payment_information_risk': 'High (cryptocurrency theft)',
'revenue_loss': 'Potential loss of revenue for wallet providers '
'due to user attrition',
'systems_affected': 'iOS and Android devices running trojanized '
'Web3 wallets'},
'initial_access_broker': {'backdoors_established': 'Yes (injected .dylib '
'files, malicious smali '
'code)',
'entry_point': 'Cloned download sites promoted via '
'Chinese search engines (Baidu, '
'Sogou, 360 Search, Shenma)',
'high_value_targets': 'Web3 wallet users (Coinbase '
'Wallet, MetaMask, '
'TokenPocket, imToken)'},
'investigation_status': 'Ongoing (discovered by Confiant analysts)',
'lessons_learned': 'The campaign highlights the growing sophistication of '
'Web3-targeted threats, the risks of third-party download '
'sources, and the need for enhanced security measures in '
'cryptocurrency wallets.',
'motivation': 'Financial gain (cryptocurrency theft), Data exfiltration (seed '
'phrases, wallet addresses, balances)',
'post_incident_analysis': {'corrective_actions': ['Enhanced security measures '
'for wallet apps (e.g., '
'code obfuscation, runtime '
'integrity checks)',
'User education on safe '
'download practices',
'Improved detection of '
'cloned apps and malicious '
'domains'],
'root_causes': ['Lack of user awareness about '
'unofficial download sources',
'Sophisticated app cloning and '
'reverse engineering techniques',
'Bypassing of App Store security '
'(iOS)',
'Stealthy data exfiltration '
'methods']},
'recommendations': ['Avoid downloading wallet apps from unofficial sources',
'Verify app authenticity through official websites or app '
'stores',
'Use hardware wallets for added security',
'Monitor wallet activity for unauthorized transactions',
'Implement multi-factor authentication (MFA) where '
'possible'],
'references': [{'source': 'Confiant'}],
'response': {'third_party_assistance': 'Confiant (threat analysis)'},
'threat_actor': 'Chinese-speaking threat actors (likely a single threat actor '
'or group)',
'title': 'SeaFlower: A Highly Sophisticated Web3 Wallet Hack Targeting '
'Cryptocurrency Users',
'type': 'Backdoor Attack, Cryptocurrency Wallet Hack',
'vulnerability_exploited': 'App cloning, Reverse engineering, Bypassing App '
'Store security (iOS), JavaScript bundle '
'interception, RSA-encrypted payload exfiltration'}