imToken A.I CyberSecurity Scoring
imToken
Company Information
Website:https://token.im
Employees number:65
Number of followers:2,368
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:token.im
imToken Risk Score (AI oriented)
Between 700 and 749
imTokenTechnology, Information and Internet
Updated:
01/04/2026
01/04/2026
735/1000
Moderate
Ba
imToken Global Score (TPRM)
xxxx
imTokenTechnology, Information and Internet
Score locked

imTokenModerate
Current Score
735Ba (MODERATE)
01000
1 incidents
-31 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
737
JUNE 2026
737
MAY 2026
736
APRIL 2026
736
MARCH 2026
735
FEBRUARY 2026
766
Cyber Attack
26 Feb 2026 • imToken
imToken, TokenPocket, MetaMask and Coinbase: Sophisticated SeaFlower Backdoor Campaign Targets Web3 Wallets to Steal Seed Phrases
SeaFlower: A Highly Sophisticated Web3 Wallet Hack Targeting Cryptocurrency Users
735
CRITICAL-31
METIMTCOITOK1772124856
SeaFlower: A Highly Sophisticated Web3 Wallet Hack Targeting Cryptocurrency Users
A newly uncovered cyber threat campaign, SeaFlower (藏海花), has been targeting users of popular Web3 cryptocurrency wallets with advanced backdoor attacks designed to steal seed phrases and drain funds. Discovered by Confiant analysts, this operation is among the most technically sophisticated threats to Web3 users documented to date, leveraging reverse engineering, app cloning, and covert data exfiltration.
### Targets and Tactics
SeaFlower focuses on four major wallets Coinbase Wallet, MetaMask, TokenPocket, and imToken across iOS and Android. The malicious apps are pixel-perfect replicas of legitimate versions, making detection nearly impossible for users. The campaign’s infrastructure, including domains registered under .cn TLDs and Alibaba CDN abuse, points to Chinese-speaking threat actors, with source code comments, developer usernames, and modding frameworks tied to the region.
Victims are lured through cloned download sites promoted via Chinese search engines like Baidu, Sogou, 360 Search, and Shenma. These fake sites mimic official wallet pages, complete with fabricated ratings and download counts, tricking users into installing trojanized apps.
### How the Backdoor Works
Once installed, the backdoored wallets function normally while silently executing malicious code:
- iOS: The attack begins with a provisioning profile download, allowing the app to bypass Apple’s App Store security. An injected .dylib file hooks into the app’s runtime using tools like Cydia Substrate and MonkeyDev, intercepting the dataWithContentsOfFile:options:error function when MetaMask loads its JavaScript bundle. An obfuscated class (FKKKSDFDFFADS) decrypts an RSA-encrypted payload, exfiltrating seed phrases, wallet addresses, and balances to attacker-controlled domains (e.g., trx.lnfura[.]org, mimicking Infura).
- Android: For Coinbase Wallet, malicious smali code in a class named XMPMetadata triggers an HTTP POST request when a seed phrase is saved, sending data to colnbase[.]homes/u/sms/.
### Attribution and Impact
The campaign’s name derives from a leaked macOS username (“Zhang Haike”), referencing a character in the Chinese novel Tibetan Sea Flower. Additional usernames (“lanyu” and “trader”) further link the operation to a single threat actor. The attack’s sophistication combining app modding, automated deployment, and stealthy exfiltration highlights a significant escalation in Web3-targeted threats.
With no visible red flags during normal use, SeaFlower represents a high-risk threat to cryptocurrency users, particularly those relying on third-party download sources. The campaign underscores the growing complexity of attacks against decentralized finance (DeFi) platforms.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JANUARY 2026
766
DECEMBER 2025
766
NOVEMBER 2025
766
OCTOBER 2025
766
SEPTEMBER 2025
766
AUGUST 2025
766
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for imToken ??
What was imToken's A.I Rankiteo Cyber Score in June 2026 ??
What was imToken's A.I Rankiteo Cyber Score in May 2026 ??
What was imToken's A.I Rankiteo Cyber Score in April 2026 ??
What was imToken's A.I Rankiteo Cyber Score in March 2026 ??
What was imToken's A.I Rankiteo Cyber Score in February 2026 ??
What was imToken's A.I Rankiteo Cyber Score in January 2026 ??
What was imToken's A.I Rankiteo Cyber Score in December 2025 ??
What was imToken's A.I Rankiteo Cyber Score in November 2025 ??
What was imToken's A.I Rankiteo Cyber Score in October 2025 ??
What was imToken's A.I Rankiteo Cyber Score in September 2025 ??
What was imToken's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on imToken's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with imToken ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view imToken's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?