Phishing Attacks on Bitcoin Wallets
⚠
ACTIVE PHISHING CAMPAIGNS DETECTED
Fake websites impersonating popular Bitcoin wallets are appearing in search results and social media ads, distributing malware disguised as legitimate software.
Cake Wallet
FAKE WEBSITE & MALICIOUS DOWNLOAD
Attackers created a convincing clone of the Cake Wallet website and promoted it through search engine ads and social media. The fake site serves a trojanised wallet binary that looks and functions like the real app but exfiltrates seed phrases and private keys to attacker-controlled servers. Users searching for "Cake Wallet download" may encounter the fake site above the real one in search results.
source: @XBToshi
Sparrow Wallet
IMPERSONATION & SEO POISONING
A parallel campaign targets Sparrow Wallet users with a fraudulent website mimicking the official
source: @FenestratorD
sparrowwallet.com domain. The phishing site uses a similar-looking domain name (typosquatting) and replicates the real site's design pixel-for-pixel. Downloads from the fake site contain wallet-draining malware that activates after import of an existing seed phrase.
ATTACK VECTOR
1
Fake site created
→
2
SEO / paid ads
→
3
User downloads
→
4
Seeds stolen
How to Protect Yourself
DO NOT
- ✗Download wallet software from search engine ads or promoted links
- ✗Trust a wallet website just because it looks official — phishing sites are pixel-perfect clones
- ✗Enter your seed phrase into software you haven't independently verified
DO
- ✓Verify GPG signatures on every download. Wallet developers sign releases so you can cryptographically prove the binary hasn't been tampered with.
- ✓Bookmark official URLs and only download from your bookmarks. Never trust search results for wallet downloads.
- ✓Check SHA-256 hashes — compare the hash of your downloaded file against the hash published on the developer's signed release page.
- ✓Use official app stores carefully — even app stores have hosted fake wallets. Cross-reference the developer name and review count.
- ✓Verify the domain carefully. Look for subtle differences:
sparrowwa11et.comvssparrowwallet.com,cakewa1let.comvscakewallet.com.
GPG VERIFICATION IN 30 SECONDS
gpg --import developer-key.ascgpg --verify release-file.asc release-fileIf the output says "Good signature", the file is authentic. If it says "BAD signature" — do not run it. Every major Bitcoin wallet publishes GPG keys and signed releases.
The Broader Pattern
SUPPLY CHAIN ATTACKS ON BITCOIN SOFTWARE
These Cake Wallet and Sparrow attacks are not isolated incidents. They follow a well-established pattern of targeting Bitcoin users through software supply chain compromise. Attackers know that Bitcoin wallets are high-value targets — a single compromised download can drain a user's entire savings.
2018
Electrum phishing servers — Attackers ran malicious Electrum servers that pushed fake "update required" messages to users. The fake update stole funds. Over 200 BTC stolen in the initial wave.
2020
Ledger database breach — Customer data leaked, enabling highly targeted phishing campaigns. Fake Ledger devices mailed to customers with malware pre-installed.
2023
Fake Trezor apps — Counterfeit Trezor Suite apps appeared on app stores and promoted websites, harvesting seed phrases from unsuspecting users.
2024
SEO poisoning wave — Google search ads for "Bitcoin wallet download" consistently lead to phishing sites before organic results. Multiple wallets targeted simultaneously.
2026
Cake Wallet & Sparrow — Current campaigns using fake websites and social media promotion to distribute trojanised wallet software.
KEY TAKEAWAY
The attack is not on the wallets themselves — the software is not compromised. The attack is on the distribution channel. Verify every download. Never trust, always verify. This is the Bitcoin way.
OFFICIAL URLS — BOOKMARK THESE
Cake Wallet
cakewallet.com
Sparrow Wallet
sparrowwallet.com