Users of well-known Web3 wallets have been the target of a recently identified cybersecurity threat called SeaFlower, which aims to steal private seed phrases This article explores compromised app seaflower. . This campaign, which was started in early 2022, draws attention to the increasing risks that Web3 wallet users face and stresses the significance of being vigilant about security.

Attackers try to obtain user credentials by inserting backdoor code into trustworthy apps without changing the wallet's apparent functionality. SeaFlower: What Is It? The SeaFlower campaign, which comes right after well-known attackers like the Lazarus Group, is thought to be among the most technically advanced threats aimed at Web3 wallets. After finding references to the Chinese language, including a username associated with a Chinese author, the name "SeaFlower" was selected.

Security researchers discovered Chinese IP addresses, macOS usernames, and the signing infrastructure of the attack during their investigation.

Although complete attribution is still difficult, these results suggested a Chinese-speaking group was responsible for the campaign. Modifying trustworthy Web3 wallet applications like MetaMask, Coinbase Wallet, TokenPocket, and imToken is SeaFlower's main attack strategy. By inserting a backdoor into these applications, the attackers are able to transmit user seed phrases to an outside server.

intercepting SeaFlower backdoor HTTPS traffic (Source: Confiant) The typical user cannot detect this backdoor code because the wallet's functionality is unaffected. Sensitive user data may be exposed, though, as network traffic monitoring shows that these altered apps interact with dubious domains. How Does SeaFlower Operate? SeaFlower operates in a very covert manner.

There are no overt indications of malicious activity when a user installs a backdoored version of a wallet app, and the user interface and overall experience stay normal. But when users create their wallet and input their seed phrase, the application transmits this information to a server under the control of an attacker via an encrypted network connection. This procedure makes use of background-running custom code changes to the application.

Researchers have reverse-engineered a number of backdoored wallet versions, such as those for Coinbase Wallet and MetaMask, and found that attackers harvest seed phrases using a variety of methods. DomainTools provided the imToken clone website, which is hosted at appim[. ]xyz (Source: confiant). For example, a backdoor in the MetaMask iOS app opens when the seed phrase is saved.

This code sends the seed phrase to an attacker's server using the startupload() function. Sometimes, when the app accesses the wallet's storage, the attacker uses modified libraries, like MonkeyDev, to inject code that exfiltrates the seed phrase. SeaFlower uses phony, cloned websites that imitate the official wallet download pages in order to distribute these backdoored apps.

Chinese search engines like Baidu, which are one of the primary entry points for potential victims, are frequently used to promote these websites. Users are taken to these fraudulent websites after clicking on a deceptive search result, where they inadvertently download a compromised app.

SeaFlower is one of the most intricate Web3 wallet attacks discovered to date because it uses cloned websites, phony app downloads, and complex backdoor code. Confiant claims that the exfiltration of user seed phrases poses a clear risk, even though the backdoor itself is undetectable during regular app use. copied the Coinbase Wallet website, which is located at som-coinbase[.

]com (Source: Confiant). Stronger security measures must be put in place by Web3 wallet developers to shield users from such advanced threats. Users are also advised not to trust third-party provisioning profiles and to only download apps from official app stores, as this could leave them vulnerable to similar attacks. X and LinkedIn to Receive More Real-Time Updates.

Make ZeroOwl your Google Preferred Source.