CTM360 says they have exposed a major global cybercrime operation, dubbed “FraudOnTok,” that is aggressively targeting users of TikTok Shop and similar e-commerce platforms. This sophisticated campaign employs a newly identified spyware variant called SparkKitty to steal cryptocurrency wallet credentials and drain victims’ digital funds.
Comprehensive Attack Chain
The FraudOnTok campaign operates by creating convincing fake TikTok Shop websites and distributing trojanized mobile applications that mimic the official TikTok interface. Unsuspecting users are lured via AI-generated ads on social platforms, phishing messages, and QR codes, persuading them to log in or make purchases using cryptocurrency, particularly USDT and ETH. Often, communications push for payments exclusively through these digital currencies to evade traditional fraud controls.
Once downloaded, the counterfeit apps embed the SparkKitty spyware deep within the victim’s device. These malicious applications closely mimic the authentic TikTok interface, making them nearly indistinguishable to the average user. SparkKitty is engineered to covertly access the device’s photo gallery, capture screenshots, and monitor clipboard activity – all with the express aim of harvesting sensitive cryptocurrency wallet information, such as seed phrases and recovery credentials.
Scope and Tactics
The scale of this fraudulent operation is significant. CTM360’s threat intelligence uncovered more than 10,000 impersonated TikTok-related websites and over 5,000 unique malicious app instances. These are distributed using a combination of direct downloads, messaging platforms, and scannable QR codes circulating among potential victims worldwide. The attackers deploy a hybrid strategy, combining credential phishing with advanced mobile spyware to maximize their reach and impact.
Both TikTok Shop buyers and affiliate program members are at risk. Fake online storefronts and scam promotions target e-commerce participants, while SparkKitty-infected apps circulate widely on both iOS and Android, sometimes even reaching official app marketplaces due to their convincing appearance.
Technical Insights on SparkKitty
SparkKitty builds on a lineage of malware previously observed targeting mobile cryptocurrency users. Its core capabilities include taking unauthorized screenshots, scraping the clipboard for wallet information, and attempting to retrieve private cryptocurrency keys or recovery phrases from device storage. The malware’s persistent surveillance enables threat actors to bypass many basic wallet security measures, ultimately leading to direct asset theft.
CTM360’s Call to Action
In response to the FraudOnTok campaign, CTM360 advises users to:
- Refrain from downloading modded or unofficial applications, especially those promoted via social media or unfamiliar websites.
- Scrutinize website domains for authenticity before entering credentials or making any payments.
- Rely on trusted, officially vetted cryptocurrency wallet apps that offer extra layers of protection, like clipboard security features.
- Report suspicious TikTok-themed websites, apps, or affiliate offers to both TikTok and cyber authorities.
- Organizations and brands are encouraged to employ ongoing threat intelligence and digital risk monitoring to detect impersonation, phishing, and new malware trends at an early stage.
