Why are fake wallets the biggest security risk?

1. Why do fake wallets exist?

Due to the open nature of the Android platform, fake wallets are created by reverse-engineering the official wallet installation package. These fake wallets include methods to steal users' private key mnemonic phrases used for importing or creating wallet addresses. They are typically bundled with monitoring tools to maximize their own interests, displaying a profit-driven mentality.

2.Why do people download fake wallets?

After conducting our investigation and analysis, we have identified two main channels through which users download counterfeit wallets:

Fake Official Website Download

After searching for TP Wallet on search engines like Baidu and Google, users click on the download button without verifying whether the website is an official one.

Download the installation package provided by a third party.

The third parties here include friends, relatives, fake customer service, etc.

3.Some characteristics of a fake wallet that steals assets.

Due to the fact that fake wallets can steal users' private key mnemonics, they utilize tools to load and monitor them. When they detect a large amount of assets being transferred, they immediately steal them if they are EVM chain assets. If it is a TRON wallet, they will promptly execute malicious multi-signature operations (and if the opponent's TRX is insufficient, they will automatically transfer 100 TRX to modify permissions). Their commands executed on the chain are invoked through the "Transfer" method, which implies actions performed by signing with the private key mnemonic.

How to Distinguish between Counterfeit Wallets and Genuine Wallets.

The fake wallet is currently the only channel that can confirm the leakage of private key mnemonic words, so the investigation can be conducted step by step through methods such as verifying the wallet download channel, wallet version number, wallet version updates, and wallet installation package hash value, gradually going deeper into the investigation.

Wallet Download Channels

The download channels for TokenPocket include the official website downloads: www.tokenpocket.pro and www.tpwallet.io, as well as Google Play, App Store (TP Wallet), Huawei Overseas Market, OPPO Overseas Market, VIVO Overseas Market, and Samsung Store. If you use other search tools to find and download the wallet, there may be significant security risks.

Check TokenPocket version number.

Click on "Mine," then click on "About Us" to view your wallet version number.

If the version number of your wallet is higher than the latest official wallet version, it is a fake wallet. Please transfer your wallet assets immediately and uninstall the fake wallet! Do not use the private key mnemonic of your current wallet again!

Update in wallet

If you find that the current version of your wallet is not the latest version, you can click on the "Version Update" function in the above image to download the latest version and overwrite it for security. This installation method will not cause loss of your assets, and there is no need to re-import private keys or mnemonic phrases into the wallet. If you encounter error messages during the installation process, such as installation errors or signature errors, then it is highly likely that it is a fake wallet.

The method of verification based on a hash value (the most accurate method).

Because everyone has different practical abilities, we use these four progressive methods for troubleshooting. The file hash verification tool is a tool that calculates the hash value of file content. This tool can quickly calculate the hash value of a file, and the calculated hash value can be compared with the official hash value to verify if the file content has been tampered with.

Click to view: Method for Checking the Hash Value of a Genuine Wallet.

The handling method after discovering counterfeit wallets.

After confirming the use of the fake wallet using the query method provided above, immediately transfer all wallet assets imported into each chain by means of a transfer to a new wallet address/exchange address that has not been imported into the fake wallet using the private key/mnemonic. You can use the TokenPocket plugin on your computer to create a new wallet address. Once the transfer is complete, please uninstall the fake wallet.

Please note:

Due to downloading a fake wallet, your wallet private key and mnemonic phrase have been compromised. Please refrain from using the current wallet address. Additionally, some fake wallets may prohibit users from transferring assets. If you encounter a situation where there is sufficient miner's fee but unable to make a transfer, it is recommended to abandon the assets within the fake wallet.

During the transfer process, please carefully verify the receiving network and receiving address. If you are unfamiliar with the transfer operation, please click to view the transfer tutorial.

Please make sure to download and use the TokenPocket wallet through the TokenPocket official website or the officially recommended channels.

Measures taken by TokenPocket official against fake wallets.

Currently, all counterfeit wallets on the market are achieved by modifying the official APK of TokenPocket. This is also why fake wallets and genuine wallets have almost no difference in terms of page design. Scammers tamper with the official wallet APK to modify the storage logic of user private keys and mnemonic phrases, thereby gaining control and transferring user assets, with the goal of stealing assets.

Apart from the malicious tampering of the storage logic for private keys and mnemonic phrases, scammers have not made any other changes. Therefore, users of fake wallets can see popup messages within the wallet that are officially released. Thus, popup reminders serve as one of the important channels through which TokenPocket helps users escape from the fake wallet scam.

The user's private key mnemonic phrase is only stored on the user's device, and the official platform will never obtain the user's wallet private key and mnemonic phrase through any means!

Learn more.

How to contact official customer service:

If you have confirmed that you have downloaded a fake wallet and require assistance from customer service to resolve the issue, please send an email to service@tokenpocket.pro.

Please note:

1. If your wallet becomes unable to transfer assets due to downloading a fake wallet, the official team cannot provide any solutions. It is recommended that you immediately stop using the fake wallet and no longer use the private key or mnemonic phrase of your current wallet.

2. User wallets are solely controlled by the private key or mnemonic phrase. If you lose your assets due to downloading a fake wallet, TokenPocket cannot assist in recovering them.

3. Please contact the official customer service via email. Official customer service representatives and staff will never initiate private conversations with you or ask for any form of compensation.

4. Any requests to verify your wallet, activate your wallet, or transfer assets to the current wallet address are scams.

5. Please make sure to download TokenPocket from the official website: https://tokenpocket.pro/ and https://tpwallet.io/.