Pudgy World Counterfeit! Malwarebytes Warns of Phishing Website Stealing Wallet Passwords

Cybersecurity firm Malwarebytes Labs issued an urgent warning on Tuesday about a fake website with the domain “pudgypengu-gamegifts[.]live” that is impersonating the recently launched Pudgy World browser game on March 10, in an attempt to steal cryptocurrency wallet passwords.

Sophisticated Phishing Tactics: Replicating 11 Wallet Interfaces

Malwarebytes senior malware researcher Stefan Dasic detailed the attack’s design logic in the report. Some features of Pudgy World—such as verifying NFT ownership or unlocking game content—require players to connect their crypto wallets. The attackers are exploiting this legitimate step to deceive:

“The phishing site leverages this process. When visitors select their wallet on the fake site, the page displays a screen that appears to be the wallet’s own unlock interface. To users, it looks exactly like the real, trusted crypto wallet software they are familiar with.”

Dasic also pointed out that the technical resources behind this attack are quite impressive—attackers created fake UI interfaces for 11 different wallets, making almost no wallet immune to the deception. Whether users hold Ethereum, Solana, or multi-chain assets, they can receive highly realistic counterfeit wallet unlock screens. He believes that developing 11 different wallet UI fakes “is not an easy task,” indicating that the threat actor behind this may be “well-resourced,” or possibly reused commercial phishing toolkits designed specifically for such attacks.

Pudgy World’s Brand Background and Security Risks

Pudgy World is a free browser game based on the Pudgy Penguins NFT brand, allowing players to explore a virtual world, customize penguin avatars, and complete missions. Since CEO Luca Netz’s acquisition in 2022, Pudgy Penguins has expanded from a simple NFT collection into a consumer brand encompassing retail products, mobile games, and web-based games.

However, Pudgy Penguins has previously been targeted by similar attacks. In December 2024, blockchain security firm Scam Sniffer warned that attackers used malicious Google ads impersonating the Pudgy Penguins platform to trick users into connecting their wallets. Researchers noted that such attacks often coincide with major events of high-profile NFT projects, as the influx of new users creates prime opportunities for exploitation.

Protection Tips: How to Avoid Becoming a Victim

Malwarebytes offers the following specific protective measures for Pudgy World users:

• Access the official website only via bookmarks: Avoid entering the game through search engine links or social media redirects.
• Be alert to wallet password prompts: Legitimate wallet password prompts will never appear within web pages; if a page asks for your wallet password in the browser, stop immediately.
• Do not click links in private messages or social media: Official links for crypto projects should be obtained directly from the official Twitter/X or Discord pinned messages.
• Immediate action if credentials are entered on a suspicious site: Change your wallet password immediately if you entered credentials on a suspicious site; if you suspect your wallet has been compromised, consider transferring assets to a new wallet address.

Frequently Asked Questions

Q: How can I confirm I am visiting the legitimate Pudgy World and not a fake site?
Verification methods include comparing the domain name with the official Pudgy Penguins website’s domain (watch out for extra characters or hyphens), obtaining game links directly from official Twitter/X or Discord channels, and using bookmarks to save verified official addresses instead of searching for them each time.

Q: Why do attackers act immediately after a new game launches?
Stefan Dasic from Malwarebytes explains that the timing is deliberate—launching a new game attracts many new crypto wallet users who are unfamiliar with the requirement to connect their wallets, making them more vulnerable. Additionally, the surge in search volume for the new game increases the likelihood of fake sites appearing at the top of search results.

Q: FBI data shows phishing scams caused over $70 million in losses in 2024. How high is the risk for crypto users?
According to the FBI’s Internet Crime Complaint Center (IC3), in 2024, there were 193,407 reports of phishing and scam complaints, with losses exceeding $70 million, not including many unreported cases. Crypto users face higher risks due to the anonymity and irreversibility of assets—once assets are transferred to an attacker-controlled address, recovery is nearly impossible.