March 28, 2024
China's New Phishing Scheme Targets Cryptocurrency Enthusiasts
Latest Cryptocurrency News

Chinese Hackers Exploit Skype Facade in New Crypto Phishing Scheme

A new phishing scheme has surfaced in China, utilizing a counterfeit Skype video app to target cryptocurrency users. SlowMist, a crypto security analytics firm, reported that the Chinese hackers leveraged the country’s prohibition on international applications as the foundation for their scam, exploiting the tendency of mainland users to seek banned applications through third-party platforms.

Social media platforms like Telegram, WhatsApp, and Skype are commonly sought after by mainland users, making them susceptible to scammers deploying fake, cloned applications embedded with malware designed to compromise crypto wallets.

In their analysis, the SlowMist team identified the fraudulent Skype app, created recently, displaying version, whereas the legitimate Skype version is The phishing scheme’s back-end domain, initially posing as the Binance exchange on November 23, 2022, later transformed to mimic a Skype back-end domain on May 23, 2023.

The discovery of the fake Skype app was initiated by a user who suffered substantial financial losses from the scam. The app’s signature indicated tampering, revealing the insertion of malware. Upon decompiling the app, the security team found a modified version of the widely used Android network framework, ‘okhttp3,’ tailored to target crypto users. The altered okhttp3 framework, unlike the default version, fetches images from various phone directories in real-time.

The malicious okhttp3 prompts users to grant access to internal files and images, exploiting the fact that many social media applications routinely request such permissions. Consequently, users often overlook any suspicious activity. Once granted access, the fake Skype app promptly uploads images, device details, user ID, phone number, and other information to the backend. The fake app continuously scans for images and messages featuring Tron and Ether-like address formats, automatically substituting them with pre-set malicious addresses upon detection by the phishing gang.

During SlowMist’s testing, it was observed that the wallet address substitution had ceased with the shutdown of the phishing interface’s backend, no longer delivering malicious addresses. Additionally, the team identified a Tron chain address that received approximately 192,856 Tether by November 8, with 110 transactions made to the address. Simultaneously, an Ethereum chain address received around 7,800 USDT in 10 transactions. In response, the SlowMist team blacklisted all wallet addresses associated with the scam.

Image by freepik

Related posts

IMF Calls for Balanced Crypto Regulation in Latin America and the Caribbean

Bran Lopez

SEC Rejects Coinbase’s Call For Crypto Regulations

Robert Paul

Fed Warns Foreign CBDCs Threaten Dollar’s Dominance

Harper Hall

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More