Binance fake-app scammers steal crypto funds via malicious Skype app: SlowMist

Quick Take

  • Blockchain security firm SlowMist revealed a phishing attack using a fake Skype app to steal crypto funds.
  • The same malicious actors linked to the scam were responsible for a previous fake Binance app, according to SlowMist.

Blockchain security firm SlowMist revealed a new phishing attack involving a fake Skype app to steal crypto funds from an unsuspecting victim.

The victim contacted SlowMist directly, explaining that his funds were stolen after downloading what he thought was the Skype app from the internet. The scam underscores the vulnerability users face, especially in regions like China, where direct downloads are a substitute for unavailable official app stores, SlowMist said in its report.

“Due to the inaccessibility of Google Play in China, many users often resort to searching for and downloading apps directly from the internet,” SlowMist wrote. “However, the types of fake apps available online are not limited to just wallets and exchanges. Social media applications like Telegram, WhatsApp and Skype are also heavily targeted.”

SlowMist’s subsequent investigation revealed several red flags, with the app's certificate effective date hinting it was newly created in September and signature information pointing toward Chinese origin. A Baidu search found multiple sources of the fake app consistent with the one provided by the victim, SlowMist noted.

How the fake app stole crypto funds

The fake Skype app, camouflaged as the genuine video chat tool and injected with malicious code, monitors for and uploads files and images from users' devices in a bid to capture sensitive information.

Since apps like Skype are used to transfer files and make calls, users don’t usually suspect the activity, SlowMist said — enabling the attackers to obtain user permissions to upload the files, as well as device information, user IDs and phone numbers.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

More specifically, the fake Skype app monitors incoming and outgoing messages to see if they contain Ethereum or Tron blockchain addresses. If detected, these are replaced with hardcoded and dynamic malicious addresses by the attackers, SlowMist said, in an attempt to route any payments to themselves instead.

The SlowMist team found one of the malicious Tron addresses used had received nearly 200,000 USDT ($200,000) over 110 deposit transactions, most recently on Nov. 8. It also identified an Ethereum address that received 7,800 USDT in 10 transactions that were transferred out using BitKeep’s swap service, with the transaction fees sourced from OKX.

However, the phishing interface’s backend has now been shut down and no longer returns malicious addresses, SlowMist noted.

The Binance fake app connection

Notably, the phishing domain linked to the app initially impersonated the crypto exchange Binance before switching to mimic Skype's backend in May. A series of fake domains using the format “bn-download[number].com” have specifically been used for Binance fake app phishing attacks, indicating the group's general focus on the lucrative web3 sector, SlowMist said.

SlowMist advised users to use official app download channels only and enhance their security awareness to mitigate the risk of falling victim to such phishing attacks.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

James Hunt is a reporter at The Block, based in the UK. As the writer behind The Daily newsletter, James also keeps you up to speed on the latest crypto news every weekday. Prior to joining The Block in 2022, James spent four years as a freelance writer in the industry, contributing to both publications and crypto project content. James’ coverage spans everything from Bitcoin and Ethereum to Layer 2 scaling solutions, avant-garde DeFi protocols, evolving DAO governance structures, trending NFTs and memecoins, regulatory landscapes, crypto company deals and the immersive metaverse. You can get in touch with James on Twitter or Telegram via @humanjets or email him at [email protected].


To contact the editor of this story:
Adam James at
[email protected]