Skip to main content
Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong. Take 2 min to learn more.

How to Spot Fake Crypto Apps

A fake Trezor app passed Apple's review in 2021 and cost one user 17.1 BTC: these are the 90-second checks that catch nearly every fake app, extension and poisoned search advert.

beginner5 min readDan Clarke
Hero image for how-to-spot-fake-crypto-apps

TL;DR

  • A fake Trezor app passed Apple's review in February 2021 and cost one user 17.1 BTC; store approval does not confirm who made an app.
  • Reach every listing from the vendor's official website, then check the developer name, download count and one-star reviews. About 90 seconds.
  • No app ever needs your seed phrase to check a balance, validate or sync. A seed is only for a restore you started yourself.
  • If your seed went into a fake app, set up a new wallet with a new seed and move your funds immediately.
  • This is a security how-to, not financial advice.

In February 2021, an American named Phillipe Christodoulou wanted to check his bitcoin balance. His coins sat behind a Trezor hardware wallet, so he searched the App Store for a Trezor app and found one: right name, right logo. He installed it and typed in his seed phrase. The app was a fake, and it cost him 17.1 BTC, around $600,000 at the time. Trezor had no iOS app at all.

The Washington Post covered the case, and one detail stuck: he trusted the app because Apple had reviewed it. This guide closes that gap, with checks that take about 90 seconds and need no technical skill. It is a how-to, not financial advice.

Store review is a filter, not an endorsement

App review checks that software runs, respects platform rules and does roughly what the listing claims. It does not verify that the developer calling itself Trezor is Trezor. Verifying identity is the part left to you.

Apple and Google both remove fake crypto apps in recurring waves, and waves is the word to sit with: fakes get in, get reported, get pulled, then come back under fresh names and fresh developer accounts. Review cuts the volume of junk, the last check is yours to do.

The four checks, 90 seconds

Run these before any install that will sit near money, in order. None of them needs a security background, and together they would have caught the fake Trezor app, the extension clones and most of the advert traps further down this page before any money moved.

  1. Reach the listing from the vendor's official website: every wallet company links its genuine apps from its own site, and that route skips the search results where fakes camp. Store search on its own is how Christodoulou met his fake.

  2. Read the developer name, which must match the company exactly, because fakes hide behind close-but-off names and hardly anyone scrolls down to that field.

  3. Check download count and listing age against common sense: an 'official' wallet for a brand with millions of users showing 500 downloads is wrong, so leave.

  4. Read the one-star reviews before the five-star ones: the signature of a fake is a wall of vague five-star praise with a run of recent one-stars saying it stole funds, so trust the one-stars.

That is the entire routine, and most of it is scrolling.

Android, and the file from a forum

Phones add one route riskier than any store: the APK installed from outside the Play Store. Cloned wallet APKs passed around forums, Telegram groups and 'mirror' sites carry no checks at all, and they are the highest-risk install path in crypto. Sideloading skips even the thin screening a store performs, so a cloned wallet reaches your phone without anyone having looked at it once. If a site urges you to sideload its wallet app, close the tab.

Extensions and desktop installers lie too

Fake wallet extensions recur on the Chrome Web Store in documented waves, including knock-offs of MetaMask, the most-used ethereum wallet, and of Ledger Live. The defence does not change: take the extension link from the vendor's site and check the publisher field before adding anything.

Desktop has its own trap: where a wallet offers signed releases, verify your download, the vendor's page shows how, and after one go it becomes habit. Treat update prompts with suspicion too, because across 2018 and 2019, users of Electrum, a bitcoin wallet around since 2011, were fed fake 'update' messages by malicious servers, and the downloads that followed emptied wallets. A message inside a real app can still lie.

The advert above the real result

Search for a wallet brand and the top of the page is often an advert slot. Phishing sites have repeatedly bought that slot for wallet names, sitting above the genuine result with the brand spelled perfectly. The fix is dull and free: type addresses you know, and bookmark every site that touches your money on the day you first use it. On a phone, the verified app you already installed is the bookmark, so open that instead of searching the brand again. Bookmarks do not get outbid.

The rule with no exceptions

Any app that asks for your seed phrase to 'check your balance', 'validate your wallet', 'sync' or 'unstake' is hostile. Not sometimes, every time. A wallet app needs your seed for exactly one job: restoring a wallet you are deliberately restoring, on a device you chose, in a process you started.

Nothing else needs it, because balances are public on the blockchain and can be read from an address alone. Exchanges never ask, support staff never ask, and an on-ramp never asks: Banxa has converted money to crypto and back since 2014, across 100-plus countries, and its checkout wants a wallet address to deliver coins to. It has no use for a seed phrase.

If your seed went into a fake

Treat that wallet as burnt, permanently, because whoever runs the fake now holds a working copy of your keys, which makes this one of the few crypto emergencies where minutes genuinely matter. Set up a fresh wallet with a brand-new seed on a clean device, move everything that remains, and only then delete the app and report the listing. Never reuse the old seed for anything again. The full drill, including where and how to report, is in our guide on what to do if your crypto is stolen.

The fake that took 17.1 BTC had Trezor's name and Trezor's logo. The one thing it could not counterfeit was a link from Trezor's own website, because there was no iOS app to link to. That check would have taken ten seconds.

Frequently Asked Questions

Review teams check that an app runs and follows platform rules, not that the developer is the brand it resembles. Apple and Google keep removing fake crypto apps in waves, and new ones keep arriving. The February 2021 fake Trezor app is the best-known case: it passed Apple's review even though Trezor made no iOS app.

Go to the vendor's official website and follow its link to the store listing, then confirm the developer name matches the company exactly. Those two steps take under a minute and catch most fakes on their own.

No. The fake Trezor case was on iPhone. Android adds one extra risk, which is APK files installed from outside the Play Store, because they skip every check. Fake browser extensions and desktop installers exist as well, so apply the vendor-site rule everywhere.

Yes. Fake wallet extensions have appeared on the Chrome Web Store in repeated waves, including copies of MetaMask and Ledger Live. Install extensions only through the link on the vendor's own site, and check the publisher name before adding them.

No, and it never is. Balances can be read from a public address without any seed. The only time a wallet app needs your seed is when you are deliberately restoring a wallet. Any other request means the app is hostile, so close it and move your funds using a clean device.

Never. Banxa is an on-ramp: it converts your money into crypto and sends the coins to the wallet address you give it, and it has worked that way since 2014. No exchange, on-ramp or support team has a reason to ask for a seed phrase.

By Dan ClarkeLast updated: 14 July 2026