A sophisticated new cyber threat campaign, named SeaFlower, has been discovered actively targeting users of popular Web3 cryptocurrency wallets. This previously unreported threat has been embedding stealthy backdoors into cloned versions of legitimate applications, allowing attackers to silently steal seed phrases and drain victims’ digital assets. The SeaFlower campaign is notable for its technical advancement, showcasing accomplished reverse engineering, app modification, and covert data exfiltration techniques.
The SeaFlower campaign specifically targets four major Web3 wallets: Coinbase Wallet, MetaMask, TokenPocket, and imToken, affecting both iOS and Android platforms. The malicious applications are described as pixel-perfect replicas of their legitimate counterparts, meaning their user interfaces and core functionalities remain entirely unchanged, making them virtually undetectable to even experienced users.
SeaFlower Backdoor Campaign Targets Web3 Wallets with Sophisticated Tactics
Confiant analysts identified SeaFlower as a distinct and previously undocumented malicious activity cluster. Evidence strongly suggests the involvement of Chinese-speaking threat actors. This attribution is supported by source code comments within the injected backdoor code, which were written in Chinese. Additionally, leaked macOS developer usernames were mapped to Chinese names, and the modding frameworks utilized are widely popular within the Chinese-speaking developer community. The campaign’s infrastructure further pointed to China and Hong Kong, with domains registered under .cn top-level domains and Alibaba CDN services being abused for content delivery.
The name “SeaFlower” itself was derived from a detail uncovered during the analysis. A leaked macOS username, “Zhang Haike,” was found embedded within one of the injected .dylib files. Researching this name led to a character in a Chinese novel titled “Tibetan Sea Flower.” The discovery of additional developer usernames such as “lanyu” and “trader” across different backdoored wallet variants further confirmed a common author behind the entire operation.
The initial entry point for most victims appears to have been through Chinese search engines. When users searched for terms like “download metamask ios,” search results from Baidu and other engines, including Sogou, 360 Search, and Shenma, redirected users to SeaFlower-operated fake websites. These cloned sites were visually indistinguishable from official wallet download pages, complete with fabricated ratings and download counts, effectively tricking users into installing the trojanized applications.
Inside the SeaFlower Backdoor: A Hidden Payload Within the App
Once a user installs a SeaFlower-modified wallet, the malicious code operates silently in the background without raising suspicion. For iOS users, the infection process begins with a provisioning profile download pushed from the fake website. This profile allows the backdoored application to run outside the official Apple App Store. After installation, the app functions as expected, but hidden within its code is an injected dynamic library that works covertly.
In the case of the MetaMask iOS wallet, researchers discovered two injected .dylib files within the compiled Mach-O binary. The primary malicious library leveraged common iOS modding tools, including Cydia Substrate, Cycript, and MonkeyDev. These tools allowed the backdoor to hook into the app’s runtime without triggering any visible alerts to the user.
The backdoor effectively intercepted a core iOS function, `dataWithContentsOfFile:options:error`, at the precise moment MetaMask reads its main JavaScript bundle. Buried within the injected library was an obfuscated class, identified as FKKKSDFDFFADS, which contained RSA-encrypted backdoor code. Once decrypted at runtime, this code revealed a `startupload()` function. This function silently transmitted the victim’s seed phrase, wallet address, and balance to an attacker-controlled domain over HTTPS. This exfiltration was routed through lookalike domains, such as `trx.lnfura[.]org`, which mimicked the legitimate Infura service to avoid detection.
On the Android platform, the attack method was simpler but equally effective. For the Coinbase Wallet APK, attackers injected malicious smali code through a class named XMPMetadata. This code triggered an HTTP POST request the moment a seed phrase was saved to storage. The command-and-control domain used in this instance was further concealed by Base64 encoding and resolved to `https://colnbase[.]homes/u/sms/`, a domain designed to appear legitimate.
According to the researchers, the persistent sophistication of this campaign highlights the evolving threats faced by Web3 users. The ability of attackers to create near-perfect replicas of legitimate applications and exploit user trust through search engine poisoning presents a significant challenge to security efforts. The technical depth demonstrated by SeaFlower, including the use of advanced hooking techniques and encrypted payloads, indicates a well-resourced and determined threat actor.
Web3 developers can take proactive steps by implementing robust inline hook detection, injected library detection, and anti-instrumentation defenses to increase the difficulty for attackers to tamper with their applications. For users, the key recommendation remains to always download wallet applications exclusively from official app stores. Additionally, users should exercise extreme caution with provisioning profiles on iPhones and actively monitor outbound network traffic from their wallet applications for any unexpected domains. Verifying SHA-256 hashes of downloaded application files before installation, where technically feasible, is also a crucial step for confirming file integrity.