17,056 Domains Riding the 2026 FIFA World Cup
WhoisXML API uncovered 17,056 domains riding the 2026 FIFA World Cup. Download the threat research materials now.
Continue readingDNS Deep Diving into FakeWallet Crypto Stealer
Securelist uncovered FakeWallet, a campaign of more than 20 phishing apps in the Apple App Store posing as popular crypto wallets such as MetaMask, Ledger, Trust Wallet, and Coinbase. When launched, the apps redirected users to fake App Store–style pages serving trojanized versions of the legitimate wallets, which were engineered to hijack victims' recovery phrases and private keys. Malware metadata indicates the campaign had been active since at least fall 2025.
Securelist publicized1 24 network IoCs comprising subdomains, domains, and an IP address. We extracted the unique domains from the subdomain IoCs and used the WhoisXML API MCP Server to identify any belonging to legitimate organizations, then filtered out the legitimate and inactive domains. This left us with 28 network IoCs—12 subdomains, 15 domains, and one IP address—for our investigation, which yielded these findings:
- One client IP address communicated with three domain IoCs
- One domain IoC was bulk-registered with two look-alikes
- Two domain IoCs were likely registered with malicious intent
- Nine potential victim IP addresses communicated with the sole IP IoC
- 10,812 email-connected domains, 11 were confirmed malicious
- 18 additional IP addresses, eight were confirmed malicious
- Eight IP-connected domains
- 17 string-connected domains
Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
—
- [1] https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/