A highly sophisticated and previously unreported threat campaign dubbed SeaFlower (藏海花) has been actively targeting users of popular Web3 cryptocurrency wallets, embedding stealthy backdoors into cloned versions of legitimate applications to silently steal seed phrases and drain victims’ funds.
The campaign is considered one of the most technically advanced threats to Web3 users ever documented, with attackers demonstrating deep skill in reverse engineering, app modding, automated deployment, and covert exfiltration.
SeaFlower specifically targets four major wallets — Coinbase Wallet, MetaMask, TokenPocket, and imToken — across both iOS and Android platforms.
The backdoored applications are pixel-perfect replicas of their legitimate counterparts.
The user interface, wallet functionality, and overall user experience remain entirely unchanged, meaning even experienced users would detect nothing suspicious during everyday crypto activity.
Confiant analysts identified SeaFlower as a unique and previously uncharted cluster of malicious activity tied to Chinese-speaking threat actors.
Source code comments in the injected backdoor code were written in Chinese, leaked macOS developer usernames mapped to Chinese names, and the modding frameworks used are widely popular within the Chinese-speaking developer community.
Infrastructure tied to the campaign was traced to Chinese and Hong Kong IP address spaces, with domains registered under .cn TLDs and Alibaba CDN abused for content delivery.
The campaign name itself was drawn from a detail uncovered during analysis. A leaked macOS username — “Zhang Haike” — was found embedded in one of the injected .dylib files, and searching the name led to a character in a Chinese novel titled “Tibetan Sea Flower.”
Additional developer usernames such as “lanyu” and “trader” were uncovered across different backdoored wallet variants, confirming a common author across the entire operation.
The entry point for most victims began with Chinese search engines. When users searched for terms like “download metamask ios,” results returned by Baidu and other engines — including Sogou, 360 Search, and Shenma — redirected users to SeaFlower-operated fake websites.
These cloned sites were visually indistinguishable from official wallet download pages, complete with fabricated ratings and download counts, tricking users into installing trojanized apps.
Inside the Backdoor: A Hidden Payload Within the App
Once a user installs a SeaFlower-modified wallet, the malicious code operates quietly in the background.
For iOS, the infection begins with a provisioning profile download pushed from the fake website, allowing the backdoored application to run outside the Apple App Store.
After installation, the app functions completely normally — but hidden within its code is an injected dynamic library working silently.
In the MetaMask iOS wallet (SHA-256: 9003d11f9ccfe17527ed6b35f5fe33d28e76d97e2906c2dbef11d368de2a75f8), researchers found two injected .dylib files inside the compiled Mach-O binary.
The primary malicious library leveraged iOS modding tools — Cydia Substrate, Cycript, and MonkeyDev — to hook into the app’s runtime without triggering any visible alert.
The backdoor intercepted the core iOS function dataWithContentsOfFile:options:error at the moment MetaMask reads its main JavaScript bundle.
.webp)
Buried inside the injected library was an obfuscated class named FKKKSDFDFFADS, which housed RSA-encrypted backdoor code.
Once decrypted at runtime, it revealed a startupload() function that silently transmitted the victim’s seed phrase, wallet address, and balance to an attacker-controlled domain over HTTPS — routed through lookalike domains such as trx.lnfura[.]org, mimicking the legitimate Infura service.
.webp)
Backdoored wallet silently intercepts seed phrase via injected .dylib, decrypts RSA payload, and exfiltrates data to attacker C2 domain over HTTPS.
On Android, the approach was simpler but equally effective. For the Coinbase Wallet APK (SHA-256: 83dec763560049965b524932dabc6bd6252c7ca2ce9016f47c397293c6cd17a5), attackers injected malicious smali code through a class named XMPMetadata, which fired an HTTP POST request the moment a seed phrase was saved to storage.
.webp)
The command-and-control domain was further concealed by Base64 encoding, resolving to https://colnbase[.]homes/u/sms/.
Recommendations:-
- Always download wallet apps exclusively from the Apple App Store or Google Play Store.
- Never approve unknown provisioning profiles on iPhone, as they allow unverified software to bypass Apple’s security controls.
- Web3 developers should implement inline hook detection, injected library detection, and anti-instrumentation defenses to raise the cost of tampering.
- Actively monitor outbound network traffic from wallet applications for unexpected domains.
- Verify SHA-256 hashes of downloaded application files whenever technically feasible to confirm file integrity before installation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
