Phishing Site Mimics Pudgy World Game to Harvest Crypto Wallet Credentials
What Happened – A fraudulent website (pudgypengu‑gamegifts.live) copied the look‑and‑feel of the newly‑launched Pudgy World browser game and its wallet‑connect flow. When users clicked “Connect wallet,” the site displayed a fake unlock overlay that mimicked popular software and hardware wallet interfaces, capturing private keys or seed phrases.
Why It Matters for TPRM –
- Third‑party SaaS platforms that integrate wallet‑connect APIs can be impersonated to steal credentials.
- Compromise of a vendor’s authentication flow can cascade to downstream partners and customers holding crypto assets.
- The attack leverages brand trust, highlighting the need for rigorous vendor verification of UI/UX elements and domain ownership.
Who Is Affected – Crypto‑focused gaming platforms, NFT projects, Web3 wallet providers, and any organization that relies on third‑party wallet‑connect services.
Recommended Actions –
- Verify that any external site requesting wallet connections is an officially‑owned domain (DNS, WHOIS, SSL).
- Enforce multi‑factor authentication for wallet‑related admin actions and educate users on phishing indicators.
- Review contracts with UI/UX vendors to include security clauses for brand impersonation and UI spoofing.
Technical Notes – The phishing page reproduces the Reown WalletConnect UI, overlays a fake extension unlock screen, and captures entered seed phrases or private keys. No known CVE; the vector is social engineering via a cloned domain and UI. Source: Malwarebytes Labs