Chinese Hackers Target Crypto Investors With Fraudulent Apps

SlowMist uncovers a Chinese hacker group targeting crypto investors with deceptive apps and stealing users’ assets.

On video chat with a hacker on Skype.
Created by Kornelija Poderskytė from DailyCoin
  • Cybercriminals are targeting concurrency investors with fake applications.
  • Users have reported losses of substantial amounts.
  • Blockchain security firm SlowMist has revealed the hackers’ mode of operation.

The cryptocurrency industry has long grappled with an unrelenting wave of hacks and phishing scams, resulting in substantial losses for investors. As the industry tightens security measures to fortify against these cyberattacks, threat actors are devising new tactics to target more investors and entities.

Following reports of phishing attacks and asset losses from a user, blockchain security firm SlowMist has uncovered the newly-employed strategy by malicious actors to execute crypto theft.

Modus Operandi Unveiled

On November 12, SlowMist published its recent findings on a Chinese-linked group of cyber criminals, which orchestrated the creation of a deceptive Skype application to siphon off crypto assets from unsuspecting victims.


The fraudulent application monitors victims’ messages for crypto-related keywords such as TRX, ETH, and USDT, and employs pre-set malicious crypto wallet addresses to compromise transactions and redirect assets. 

Extract from SlowMIst's investigative piece revealing malicious actors scanning victims' messages for crypto keywords.

Further investigation revealed that the signature phishing backend domain is linked to the same application that impersonated prominent cryptocurrency exchange Binance in November 2022, revealing its recurring threat to the cryptocurrency industry.

Several wallet addresses linked to the phishing scam have been blacklisted, amounting to over 100. One of the TRON chain addresses was identified to have received approximately 192,856 USDT, with 110 deposit transactions. 


The address’ withdrawal records revealed that most of the received funds had been transferred out in batches. However, the address still holds a significant balance, with the most recent transaction occurring on November 8, 2023.

Another ETH chain address received over 7,800 USDT in 10 deposit transactions. The funds on the address have been transferred, with the latest transaction occurring on July 11.

SlowMist cautions users to enhance their security awareness, advising against random application downloads to prevent potential financial losses from malicious apps.

Bankrupt crypto ATM firm Coin Cloud loses sensitive user data to hacker-raid. Find out more:  
Coin Cloud Breach Doxxes Platform Users As Security Fails 

Crypto criminals are not backing down on attacks and Poloniex centralized exchange is the latest to feel the burn. Read more:
Justin Sun’s Poloniex Disables Wallets to Tackle $100M Attack

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Grace Abidemi

Grace Abidemi, a cryptocurrency reporter at DailyCoin, covers industry developments and trends. She previously worked as a freelance writer. With a Bachelor's degree in German Language and certifications in marketing and storytelling, Grace creates engaging content. When not working, she's in Nigeria, mastering cooking and canvas painting, and enjoys learning about different cultures and languages.