Sophisticated SeaFlower Backdoor Campaign Targets Web3 Wallets to Steal Seed Phrases

Users of well-known Web3 cryptocurrency wallets have been the target of a highly advanced and hitherto unreported threat campaign called SeaFlower (藏海花), which inserts covert backdoors into cloned versions of genuine applications in order to steal seed phrases covertly and drain victims' money This article explores applications backdoored exact. . Given the attackers' extensive expertise in reverse engineering, app modding, automated deployment, and covert exfiltration, the campaign is regarded as one of the most technically sophisticated threats to Web3 users ever recorded.

In particular, SeaFlower targets four popular wallets on the iOS and Android platforms: Coinbase Wallet, MetaMask, TokenPocket, and imToken. The applications that have been backdoored are exact replicas of their authentic counterparts. Even seasoned users would not notice anything unusual during routine cryptocurrency activity because the user interface, wallet functionality, and overall user experience are all completely unaltered.

Attackers used a class called XMPMetadata to inject malicious smali code for the Coinbase Wallet APK (SHA-256: 83dec763560049965b524932dabc6bd6252c7ca2ce9016f47c397293c6cd17a5). This code triggered an HTTP POST request as soon as a seed phrase was saved to storage. The som-coinbase[.

]com website is a clone of the Coinbase Wallet (Source: Confiant). Base64 encoding further obscured the command-and-control domain, which resolved to https://colnbase[.]homes/u/sms/. It is advised to only download wallet apps from the Google Play Store or the Apple App Store. Unknown provisioning profiles on iPhones should never be approved because they let unconfirmed software get around Apple's security measures.

To increase the cost of tampering, Web3 developers should use anti-instrumentation defenses, injected library detection, and inline hook detection.