Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
imToken

imToken Vendor Cyber Rating & Cyber Score

token.im

imToken is a decentralized digital wallet used to manage and safeguard a wide range of blockchain- and token-based assets, identities, and data. Since its founding in 2016, it has helped its users transact and exchange billions of dollars in value across more than 150 countries around the world. imToken allows its users to manage assets on 12 mainstream blockchains and all EVM chains, as well as seamlessly connect with DApps via a decentralized applications browser. Website: https://token.im Careers: https://careers.token.im/ Twitter: https://twitter.com/imTokenOfficial/ Email: [email protected] Disclaimer: imToken is not currently regulated or licensed, and does not offer any regulated services in any jurisdiction, including but not


imToken A.I CyberSecurity Scoring

imToken
Company Information
Website:https://token.im
Employees number:65
Number of followers:2,368
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:token.im
imToken Risk Score (AI oriented)
Between 700 and 749
logo
imTokenTechnology, Information and Internet
Updated:
01/04/2026
735/1000
Moderate
Ba
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
imToken Global Score (TPRM)
xxxx
logo
imTokenTechnology, Information and Internet
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

imToken
imTokenModerate
Current Score
735Ba (MODERATE)
01000
1 incidents
-31 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
737Before Incident
JUNE 2026
737Before Incident
MAY 2026
736Before Incident
APRIL 2026
736Before Incident
MARCH 2026
735Before Incident
FEBRUARY 2026
766Before Incident
Cyber Attack
26 Feb 2026imToken
imToken, TokenPocket, MetaMask and Coinbase: Sophisticated SeaFlower Backdoor Campaign Targets Web3 Wallets to Steal Seed Phrases

SeaFlower: A Highly Sophisticated Web3 Wallet Hack Targeting Cryptocurrency Users

735After Incident
CRITICAL-31
METIMTCOITOK1772124856
SeaFlower: A Highly Sophisticated Web3 Wallet Hack Targeting Cryptocurrency Users A newly uncovered cyber threat campaign, SeaFlower (藏海花), has been targeting users of popular Web3 cryptocurrency wallets with advanced backdoor attacks designed to steal seed phrases and drain funds. Discovered by Confiant analysts, this operation is among the most technically sophisticated threats to Web3 users documented to date, leveraging reverse engineering, app cloning, and covert data exfiltration. ### Targets and Tactics SeaFlower focuses on four major wallets Coinbase Wallet, MetaMask, TokenPocket, and imToken across iOS and Android. The malicious apps are pixel-perfect replicas of legitimate versions, making detection nearly impossible for users. The campaign’s infrastructure, including domains registered under .cn TLDs and Alibaba CDN abuse, points to Chinese-speaking threat actors, with source code comments, developer usernames, and modding frameworks tied to the region. Victims are lured through cloned download sites promoted via Chinese search engines like Baidu, Sogou, 360 Search, and Shenma. These fake sites mimic official wallet pages, complete with fabricated ratings and download counts, tricking users into installing trojanized apps. ### How the Backdoor Works Once installed, the backdoored wallets function normally while silently executing malicious code: - iOS: The attack begins with a provisioning profile download, allowing the app to bypass Apple’s App Store security. An injected .dylib file hooks into the app’s runtime using tools like Cydia Substrate and MonkeyDev, intercepting the dataWithContentsOfFile:options:error function when MetaMask loads its JavaScript bundle. An obfuscated class (FKKKSDFDFFADS) decrypts an RSA-encrypted payload, exfiltrating seed phrases, wallet addresses, and balances to attacker-controlled domains (e.g., trx.lnfura[.]org, mimicking Infura). - Android: For Coinbase Wallet, malicious smali code in a class named XMPMetadata triggers an HTTP POST request when a seed phrase is saved, sending data to colnbase[.]homes/u/sms/. ### Attribution and Impact The campaign’s name derives from a leaked macOS username (“Zhang Haike”), referencing a character in the Chinese novel Tibetan Sea Flower. Additional usernames (“lanyu” and “trader”) further link the operation to a single threat actor. The attack’s sophistication combining app modding, automated deployment, and stealthy exfiltration highlights a significant escalation in Web3-targeted threats. With no visible red flags during normal use, SeaFlower represents a high-risk threat to cryptocurrency users, particularly those relying on third-party download sources. The campaign underscores the growing complexity of attacks against decentralized finance (DeFi) platforms.
INCIDENT DETAILS -
TYPE
Backdoor Attack, Cryptocurrency Wallet Hack
MOTIVATION
Financial gain (cryptocurrency theft), Data exfiltration (seed phrases, wallet addresses, balances)
IMPACT
Financial Loss: Funds drained from cryptocurrency walletsData Compromised: Seed phrases, wallet addresses, balances, personally identifiable information (PII)Systems Affected: iOS and Android devices running trojanized Web3 walletsOperational Impact: Loss of trust in Web3 wallets, potential long-term reputational damage to wallet providersRevenue Loss: Potential loss of revenue for wallet providers due to user attritionBrand Reputation Impact: High (due to sophisticated and stealthy nature of the attack)Identity Theft Risk: High (seed phrases and wallet data stolen)Payment Information Risk: High (cryptocurrency theft)
DATA BREACH
Seed phrasesWallet addressesBalancesPersonally identifiable information (PII)Sensitivity Of Data: High (cryptocurrency access credentials)Data Exfiltration: Yes (to attacker-controlled domains like trx.lnfura[.]org and colnbase[.]homes)Data Encryption: RSA-encrypted payloads for exfiltrationPersonally Identifiable Information: Seed phrases, wallet addresses
JANUARY 2026
766Before Incident
DECEMBER 2025
766Before Incident
NOVEMBER 2025
766Before Incident
OCTOBER 2025
766Before Incident
SEPTEMBER 2025
766Before Incident
AUGUST 2025
766Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for imToken ?
?
What was imToken's A.I Rankiteo Cyber Score in June 2026 ?
?
What was imToken's A.I Rankiteo Cyber Score in May 2026 ?
?
What was imToken's A.I Rankiteo Cyber Score in April 2026 ?
?
What was imToken's A.I Rankiteo Cyber Score in March 2026 ?
?
What was imToken's A.I Rankiteo Cyber Score in February 2026 ?
?
What was imToken's A.I Rankiteo Cyber Score in January 2026 ?
?
What was imToken's A.I Rankiteo Cyber Score in December 2025 ?
?
What was imToken's A.I Rankiteo Cyber Score in November 2025 ?
?
What was imToken's A.I Rankiteo Cyber Score in October 2025 ?
?
What was imToken's A.I Rankiteo Cyber Score in September 2025 ?
?
What was imToken's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on imToken's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with imToken ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view imToken's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?
imToken Cyber Scoring History | Rankiteo