Cybersecurity firm CTM360 has uncovered a widespread malware campaign known as FraudOnTok that is actively targeting TikTok Shop users. This sophisticated operation combines phishing and malware delivery, aiming to steal cryptocurrency wallet credentials and compromise user devices.
The malware at the center of this campaign is SparkKitty, a spyware variant similar to SparkCat, which was previously documented by Kaspersky. SparkKitty is deployed through fake TikTok-related apps and websites that mimic legitimate TikTok e-commerce services.
How FraudOnTok Works: A Multi-Layered Cyberattack Mimicking TikTok Shop
The FraudOnTok campaign begins by mimicking TikTok’s commercial platforms—TikTok Shop, TikTok Wholesale, and TikTok Mall. Threat actors create fake websites that replicate the real TikTok interface to trick users into thinking they’re making genuine purchases or engaging in affiliate opportunities.
Victims are lured through:
- Meta ads with fake product offers
- AI-generated promotional videos
- Lookalike domains using extensions like
.top,.shop,.icu
Once on these sites, users are asked to log in and make payments using cryptocurrency wallets. But this is where the trap closes.
SparkKitty Spyware: How It Steals Data
When users install the fake TikTok app or interact with the malicious site, SparkKitty spyware is activated. It embeds itself into the device, capturing sensitive data by:
- Accessing the photo gallery
- Extracting screenshots containing wallet information
- Scraping clipboard content
- Enabling silent surveillance of device activity
The spyware is distributed through modified TikTok APKs shared via QR codes, messaging apps, and direct downloads. These fake apps perfectly mimic TikTok’s original user interface, further misleading users.
Scale of the Campaign: Thousands of Fake Websites and Apps Deployed
CTM360’s investigation revealed:
- Over 10,000 fake TikTok websites, many hosted under free or low-cost top-level domains
- More than 5,000 unique malicious app instances, disguised as TikTok-related applications
- Impersonation of multiple TikTok commerce brands, including Wholesale and Mall divisions
Hybrid Scam Structure: Phishing Meets Trojan Malware
The FraudOnTok campaign follows a hybrid model that includes:
Phishing Pages
Victims are directed to websites that prompt them to enter login credentials, payment details, or seller profiles. This data is quietly harvested and used for further attacks or sold on the dark web.
Trojanized Apps
On mobile devices, victims are encouraged to install counterfeit TikTok apps embedded with SparkKitty. These apps allow attackers to monitor the device, steal credentials, and hijack cryptocurrency wallets.
The Financial Angle: Cryptocurrency Payments and Wallet Theft
Traditional card payments are avoided in this scam. Instead, victims are instructed to pay through digital assets such as USDT, ETH, or other cryptocurrencies. They’re often asked to “top up” wallets on what they believe to be official TikTok platforms. Once the transaction is made, the spyware steals wallet credentials and drains the funds.
CTM360’s Recommendations to Stay Protected
CTM360 advises enterprises, users, and sellers to follow these steps:
- Do not download cracked, modded, or unknown applications from unofficial sources like Telegram or torrent sites.
- Always verify domain authenticity—look out for spelling errors or unusual domain extensions.
- Report suspicious ads or apps directly to TikTok or national cyber authorities.
- Businesses should actively monitor for brand impersonation using threat intelligence tools.
- Use antivirus or endpoint detection systems capable of identifying spyware like SparkKitty.
- Choose cryptocurrency wallets with clipboard protection features to prevent credential theft.
