Romance scammers exploit Apple’s developer program to spread fake cryptocurrency apps

Swindlers have defrauded victims out of $1.4 million with the romance scam.
BARCELONA, SPAIN - JANUARY 29: A Bitcoin ATM machine, to buy or sell cryptocurrencies, is placed within a safety cage on January 29, 2021 in Barcelona, Spain. The European Union Agency for Law Enforcement Cooperation (Europol) and local law enforcement busted an allegedly fraudulent scam posing as a firm that specialized in cryptocurrency and foreign exchange investment training out of Andorra. (Photo by Cesc Maymo/Getty Images)

Fraudsters are using the promise of love to lure victims into downloading fake cryptocurrency trading apps and then stealing their funds, researchers at Sophos report.

The ongoing campaign, which researchers have dubbed “CryptoRom,” has targeted victims across Europe, the U.S. and Asia. In these scams, scammers use dating apps like Bumble, Tinder, and Grindr to build trust with a victim. They then move the conversation to a messaging app, where they ask victims to install a fake trading app.

Fraudsters convince victims to invest in the app, ultimately stealing the funds. Thieves have managed to swipe nearly $1.4 million with the ruse, according to an analysis of a bitcoin wallet one of the scammers used. Some 23,000 victims of romance scams reported more than $605 million in losses to the FBI in 2020.

The new findings underscore how fraudsters are turning to Apple’s developer programs in an attempt to evade the company’s policies against sideloading apps. To cut down on users downloading malicious apps, Apple only allows users to download apps from its official App Store. Attackers have found a way around this by using Apple’s program that allows developers to distribute apps that have not been approved by the App Store in a limited capacity for internal testing purposes.


Sophos researchers first reported a similar campaign targeting Android and iOS users in Asia in May. Researchers believe the fraudulent apps are related.

In order to trick the target into downloading the fake app, the attacker sends a link that opens a file which will prompt the user to “trust” the program. The device browser then sends the victim to a page designed to look like the App Store from which they can download the fake cryptocurrency app.

The malicious apps also give the thieves access to more than just bitcoin payments. At least one of the apps discovered by Sophos had an open directory that exposed a trove of personal information, including passport details and ID cards of nationals of Japan, Malaysia, South Korea and China.

Both international and U.S. law enforcement have warned about a massive spike in investment-related romance scams during the pandemic. Cryptocurrency scams using fake trading apps have also spiked in recent months.

While Apple has taken steps in recent years to reduce the abuse of its developer programs to spread malware, Sophos’s researchers predict that hackers will still continue to exploit the program for “targeted abuse.”


Criminals are also getting smarter at exploiting the system. In the set of attacks reported in May, the “CryptoRom” scammers used a program for individual developers that only allowed the app to use a limited number of devices.

Researchers found in the latest round of attacks that scammers are now using Apple’s enterprise program for developers, allowing them to spread the fraudulent apps to more devices. Moreover, paid commercial services offering enterprise certificates are making it easier for cybercriminals to simply direct victims to a new version of the app if Apple blocks an old signature.

Sophos shared the details of the malicious apps with Apple but did not hear back by the time of publication. Apple did not respond immediately to a request for comment from CyberScoop.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts