An in-depth look into the infrastructure supporting the “fake wallet” phishing industry

6 min readJun 23, 2022



User A received a text message from their exchange asking them to download the latest wallet. This prompted him to search for “xx wallet official”, and clicking the first link displayed. They then proceeded to download the application, create a wallet, and transfer some funds over to the newly created account. User A received a confirmation that the transfer was successful, but the funds were then drained from his new wallet. This cost user A to lose close to $10 million in USDT. They eventually learned the application was a fake and that he had fallen victim to a phishing scam.

On November 24 of last year, We published an analytic report on the underground market of fake wallets. It is surprising to see how quickly losses continue to build over time.


Today, we will be assessing the number of fake wallets out there from a big data standpoint.

1.It is safe to say that MetaMask is the most popular cryptocurrency wallet extension for web browsers. MetaMask’s parent company, ConsenSys, reported in April 2021 that the wallet service had more than 5 million monthly active users, a fivefold increase in just six months. In 2020, MetaMask officials reported a fourfold increase in monthly active users compared to 2019, bringing the total number of users to more than 80 million.

With so many users, it stands to reason that MetaMask would be a prime target for fraudulent activity.

Here’s what we found after a quick search:

The search results displayed over 20,000 relevant results, with 98 percent of the IP/domain names being fake links and scams.

A follow up search was performed to look for additional MetaMask Download:

At first glance, they all look like phishing sites, and people who know about security should know that ports and services like 888/HTTP and 8888/HTTP are the default configurations of the pagoda system. The fact that pagoda is simple and easy to set up has led to a lot of black and gray market products being used. All of the IP/domain names listed above are scams that try to get users to visit and download.

Here’s something interesting.

First search queried: MetaMask’s Authorization Management Framework (the management background of underground phishing production)

All of these domain names have something to do with the management background of underground production. Here are some of the domain names we captured along with their related resolution time:

Vue+PHP environment, the deployment method is as follows:

2.The same applies to imToken’s authorization management.

Authorization Management of TokenPocket

Phishing Background:

Blockchain background related services:

3.Attackers gather victim details in the background and then use the withdrawal API interface to carry out their malicious activities.

Let’s explore the underlying code:

It includes JS for basic web services, setup, and transfer.

Looking at this again: var _0xodo=’', I must state that Black Ash has overtaken the majority of conventional websites, and individuals are already deploying JS full encryption technology.


Here sc0vu/web3.php: “dev-master” is the php interface system for interacting with Ethereum and the blockchain ecosystem.

Analysis revealed that the attacker transferred the stolen assets using api.html calls after obtaining the private key and other relevant information. This information will not be reiterated in this article.

Do you believe their targets are just phishing sites that impersonate wallets like MetaMask, imToken, TokenPocket, and others?

As a matter of fact, in addition to forging these popular wallets, they also forged and constructed phishing-specific trading platforms. Let’s take a look here:

For example, we discovered more data under this IP address, in addition to the phishing website and the background:

An example of a phishing site representing a trading platform; and this isn’t the only one.

An example of a cryptocurrency phishing platform built using the Laravel framework:

Demonstrating that the fake FTX platform phishing site was built using the ThinkPHP framework:

Let’s have a look at the phishing scam templates that utilize SaaS and are directly sold online:

Most popular wallets are supported by the scamming platform (the wallets here are also faked by them)

The industry’s supply chain for implementing phishing scams for cryptocurrencies and NFTs is extensive, with professional SaaS services, quick implementation technique, and instant online availability.

After doing additional research, we determined that a cloud desktop management framework (shown in the picture below) is utilized to handle the critical data for a trading platform.

To say that these products are sophisticated would be an understatement.


This article focuses primarily on the technological landscape of counterfeit wallets. Low manufacturing costs mean that new wallet phishing websites are appearing more often than before. There is now an established industrial supply chain in place. Scammers often directly utilize various tools to replicate popular wallet project websites in an attempt to deceive their victims. The mnemonic for the user’s private key is entered or the user is coaxed into authorizing approval. Before trying to download an application or log-in to a service, it is wise to double-check the URL. Avoid downloading applications from unknown sources and only trust official websites or media outlets in order to protect yourself against phishing scams.




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.