Cybersecurity researchers have identified a highly advanced threat known as SeaFlower that has been actively targeting users of widely used Web3 wallets. The campaign, which began circulating in early 2022, demonstrates how attackers are increasingly focusing on decentralized finance users to extract valuable credentials. Analysts noted that the operation reflects a growing trend of malware designed to exploit trust in legitimate applications rather than relying on obvious phishing or disruptive behavior.
Investigators described SeaFlower as one of the most technically complex attacks observed in the Web3 ecosystem to date. Its overall sophistication was assessed as being comparable to campaigns historically associated with groups such as Lazarus Group, although definitive attribution has remained difficult.
Indicators Point to a Chinese-Speaking Group
During the investigation, researchers uncovered several clues suggesting that the attackers operate in a Chinese-speaking environment. These indicators included macOS usernames written in Chinese, IP addresses linked to Chinese networks, and code-signing infrastructure associated with the campaign. The malware was ultimately named SeaFlower after analysts discovered Chinese-language references embedded in the tooling, including a username tied to a known Chinese author. Despite these findings, experts cautioned that technical overlap alone is not sufficient to conclusively identify the threat actors.
How Legitimate Wallets Are Weaponized
SeaFlower primarily functions by altering authentic Web3 wallet applications, including MetaMask, Coinbase Wallet, TokenPocket, and imToken. Attackers insert hidden backdoor code into these apps while preserving their original user interface and features. As a result, victims are unable to detect any abnormal behavior during routine use.
Once a compromised wallet is installed, it behaves exactly like the genuine version. The malicious activity occurs silently in the background, where modified code monitors sensitive actions. When a user initializes a wallet and inputs a recovery seed phrase, that information is covertly transmitted to a remote server controlled by the attackers through encrypted connections.
Technical Details Behind the Theft
Security analysts who reverse-engineered infected wallet versions found multiple methods used to harvest seed phrases. In certain cases, the attackers modified internal functions so that data would be exfiltrated as soon as the seed phrase was stored. Other variants relied on altered development libraries to inject malicious routines that activated when the app accessed secure storage. While these processes were invisible to users, network traffic analysis revealed suspicious outbound communications that exposed the hidden data transfers.
Distribution Through Deceptive Channels
The campaign relied heavily on fraudulent distribution techniques. SeaFlower operators created cloned websites that closely resembled official wallet download pages. These fake sites were then promoted through search engine manipulation, particularly on platforms such as Baidu. Users who clicked on misleading search results were redirected to these counterfeit pages and unknowingly downloaded compromised applications.
Security Implications for Web3 Users
According to assessments shared by Confiant, the danger of SeaFlower lies in its stealth rather than visible disruption. While the backdoored wallets appear harmless during everyday use, the unauthorized extraction of seed phrases places users at immediate risk of total asset loss. Researchers emphasized that this campaign highlights the need for heightened vigilance, careful verification of download sources, and continuous monitoring of application behavior within the rapidly expanding Web3 landscape.
