Fake “Pudgy World” Site Lures Gamers Into Handing Over Crypto Wallet Passwords

A phishing campaign targeting players of Pudgy Penguins’ Pudgy World game has been identified days after the title’s launch on March 10, using a fake website to steal cryptocurrency wallet credentials.

Cybersecurity firm Malwarebytes said the site mimics legitimate wallet connection flows used for in-game items and digital collectibles. 

Hosted at pudgypengu-gamegifts[.]live, the page includes 11 tailored wallet interfaces designed to imitate different providers, indicating a coordinated and resource-intensive setup.

The practical consequence of all this is that automated scanning tools are likely to rate the initial page as benign, because on their infrastructure, it behaves like one. The malicious functionality never loads unless the attacker’s server decides the visitor is worth targeting.

Stefan Dasic, Malwarebytes Labs.

Related: US Senate Eyes April Vote on Landmark Crypto Market Structure Bill

No public response has been issued by Pudgy Penguins or Igloo Inc.

Hardware Wallet Trap

The attack focuses on extracting seed phrases, particularly from hardware wallet users. When the spoofed connection process fails, users are redirected to a manual input option that requests recovery credentials, which are then captured by the attackers.

The site also includes evasion mechanisms to avoid detection. It checks for virtual machines, automated analysis tools, and other research environments. 

If such conditions are detected, the malicious components do not load, limiting exposure to security investigators.

This is not the first phishing campaign linked to Pudgy Penguins, though. In December 2024, a separate operation used malicious Google Ads and embedded scripts to identify crypto wallets before redirecting users to fraudulent pages.

The Pudgy Penguins NFT collection, managed by Igloo Inc, has declined significantly in value. Its floor price has fallen 88.3% from 36.33 ETH in December 2024 to 4.10 ETH, or about US$8.5K (AU$12K).

Phishing remains a persistent risk across crypto platforms (and basically everywhere on the internet). FBI data for 2024 recorded 193,407 phishing and spoofing incidents, with reported losses exceeding US$70 million (AU$107 million).

Related: Kalshi Slams Arizona Charges as ‘Overstep’ in Prediction Market Showdown

The post Fake “Pudgy World” Site Lures Gamers Into Handing Over Crypto Wallet Passwords appeared first on Crypto News Australia.