This March, researchers uncovered more than 20 phishing apps masquerading as popular crypto wallets. But when clicked, they redirected users to fake App Store pages where trojanized versions of the legitimate apps were hosted. If downloaded, the malicious apps dubbed “FakeWallet” hijacked affected users’ recovery phrases and private keys. Worse, FakeWallet metadata suggests the campaign has been going on since at least fall 2025.

SecureList publicized 24 network IoCs comprising subdomains, domains, and an IP address in their FakeWallet analysis. We extracted unique domains from the subdomain IoCs they listed and determined if any of them belonged to legitimate organizations using the WhoisXML API MCP Server. We then filtered out legitimate and inactive domains from the final domain IoC list.

That said, we ended up with 28 network IoCs comprising 12 subdomains, 15 domains, and one IP address for our investigation. Aided by our extensive array of domain, DNS, and threat intelligence tools, our analysis led to these discoveries:

• One client IP address communicated with three domain IoCs
• One domain IoC was bulk-registered with two look-alikes
• Two domain IoCs were likely registered with malicious intent
• Nine potential victim IP addresses communicated with the sole IP IoC
• 10,812 email-connected domains, 11 were confirmed malicious
• 18 additional IP addresses, eight were confirmed malicious
• Eight IP-connected domains
• 17 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

FakeWallet Subdomain IoCs Under the Spotlight

We kicked off our investigation by looking more closely into the 12 subdomain IoCs via the WhoisXML API MCP Server. We summed up our findings for five examples below.

All in all, we determined that while one of the subdomain IoCs fell under a legitimate domain, it may have been specially crafted to host C&C configurations and payloads as JSON endpoints, since its Cloudflare IP addresses are hard to block without affecting legitimate traffic. Nine, were confirmed malicious according to our tools, and two should be approached with caution.

It is also worth noting that the five parent domains of the nine subdomains were updated on 20 April 2026, the day before FakeWallet was first detected, which was consistent with precampaign infrastructure staging.

FakeWallet Domain IoCs Deep Dive

Next, we analyzed the 15 domain IoCs in greater depth.

Sample network traffic data from the IASC revealed that one client IP address communicated with three domain IoCs via seven DNS queries between 28 March and 1 April 2026.

We then queried the domain IoCs on Typosquatting API and discovered that one—crypto-stroe[.]cc—was bulk-registered with two look-alikes—crypto-stroe[.]top and crypto-stroe[.]cn—on 9 September 2025.

Next, we learned that two domain IoCs were likely registered with malicious intent. The domains gxzhrc[.]cn and jhxrpbgq[.]com were recorded on the First Watch Malicious Domains Data Feed 539 and 47 days, respectively, before they were dubbed as IoCs on 20 April 2026.

We then queried the domain IoCs on WHOIS API and filled in current WHOIS record detail gaps with the help of Domain Info API. We found out that:

• They were created between 11 November 2017 and 23 March 2026.

  

• They were administered by eight different registrars.

  

• While one domain did not have a registrant country on record, the remaining 14 were registered in four different countries.

  

Finally, we queried the domain IoCs on DNS Chronicle API and discovered that 12 posted 258 historical domain-to-IP resolutions over time. Take a look at specifics for five domains below.

Overall, the 12 domain IoCs with historical domain-to-IP resolutions posted the oldest resolution on 15 November 2019.

FakeWallet IP IoCs Investigated

After that, we investigated the sole IP IoC further.

First, sample network traffic data from the IASC showed that nine unique IP addresses owned by potential victims under five distinct ASNs communicated with the IP address between 4 December 2025 and 13 April 2026.

We then queried the sole IP IoC on IP Geolocation API and learned that it was geolocated in Singapore under the purview of The Constant Company.

A DNS Chronicle API query for the IP IoC, meanwhile, revealed that it has recorded 114 historical IP-to-domain resolutions between 8 October 2019 and 22 March 2026.

Fresh FakeWallet Artifacts Found

After learning more about the IoCs identified so far, we then hunted for new artifacts.

We began by querying the 15 domain IoCs on WHOIS History API. We uncovered 19 unique email addresses from their historical WHOIS records. Upon further scrutiny, we learned that nine were public email addresses.

Reverse WHOIS API queries for the public email addresses revealed that two could belong to domainers hence their exclusion from the next part of our analysis. The remaining seven public email addresses were used to register 10,812 unique email-connected domains after those already tagged as IoCs were filtered out.

According to the results of our Threat Intelligence API queries for the email-connected domains, 11 have already been weaponized for various malicious campaigns. Here are more details on five of them.

Next, we queried the domain IoCs on DNS Lookup API and discovered 18 additional IP addresses after the sole IP IoC was filtered out.

Threat Intelligence API queries for the additional IP addresses showed that eight have already figured in various attacks.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.