Amid ongoing crypto adoption and significant crypto price surges, a new phishing scam has surfaced in China, specifically targeting crypto users, as reported by the crypto security analytics firm SlowMist. The scammers exploit China’s ban on international applications, capitalizing on mainland users’ tendency to search for banned apps through third-party platforms. These exploiters are also taking advantage of this latest cryptocurrency bull run.
Chinese exploiters seize opportunities in surging Crypto industry
As of now, cryptocurrency is fully banned in China, but their exploiters are still looking for a loophole in this rapidly surging industry. Social media applications like Telegram, WhatsApp, and Skype are commonly sought after by mainland users, making them sensitive to scams involving fake, cloned applications loaded with malware aimed at attacking crypto wallets.
The SlowMist team identified the fraudulent Skype app with version number 126.96.36.1993, distinct from the legitimate version of 188.8.131.52. The phishing backend domain initially posed as Binance on Nov. 23, 2022, and later changed to mimic a Skype backend domain on May 23, 2023. The scam was first reported by a user who suffered a substantial financial loss.
Malware insertion and android network framework modifications
Upon analysis, the tampered signature of the fake app revealed malware insertion. The security team decompiled the app, discovering modifications to the commonly used Android network framework, okhttp3, tailored to target crypto users. The modified okhttp3, disguised as handling Android traffic requests, actually harvested images from various directories on the phone in real time.
The malicious okhttp3 requested users to grant access to internal files and images, exploiting the permissions commonly requested by social media apps. Once granted access, the fake Skype app uploaded images, device information, user ID, phone number, and other data to the backend. The app then searched for images and messages with TRX and ETH-like address formats. If detected, these addresses were automatically replaced with malicious addresses predetermined by the phishing gang.
During SlowMist’s testing, it was observed that the wallet address replacement had ceased, and the phishing interface’s backend was shut down, no longer returning malicious addresses. The team also identified a TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) receiving approximately 192,856 USDT until November 8, with 110 transactions. Simultaneously, an ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received about 7,800 USDT in 10 deposit transactions.
Victim reports and attacker actions
The investigation highlights the importance of vigilance and caution among crypto users to avoid falling victim to such phishing scams. Security firm ZachXBT also reported that the address 0xa8D8A0..5bcE appears to have been drained of approximately $27 million in USDT and 11 ETH. The victim received these USDT about 7 days ago from Binance.
The presumed attacker, identified as 0x03C401…37E3, swapped the stolen USDT for ETH and bridged around 11.6K ETH (valued at approximately $23 million) to Bitcoin via Thorchain. Subsequently, the attacker transferred a portion of these funds to various centralized exchanges (CEXs), including FixedFloat, ChangeNow, SideShift, OKX, WhiteBit, Binance, Kucoin, and HitBTC.