Pudgy Penguins’ browser game Pudgy World, released on March 10, 2026, quickly became the center of a coordinated phishing campaign that sought to turn player interest into stolen crypto credentials. What should have been a high-visibility product launch instead became a fresh attack surface for wallet theft, according to a March 18 warning from Malwarebytes Labs.
The campaign did not emerge in isolation. The activity echoed earlier alerts from blockchain security monitor Scam Sniffer in December 2024, suggesting that scammers have been repeatedly targeting the Pudgy Penguins community whenever franchise momentum creates an opening.
A phishing site impersonating the newly-launched Pudgy World browser game steals crypto passwords.https://t.co/9Z1CsYdFhu
— Malwarebytes (@Malwarebytes) March 18, 2026
A Familiar Brand Used as a Credential Trap
According to Malwarebytes, the attackers built a layered impersonation operation around the game’s visual identity and discovery channels. Fake sites and sponsored search ads were used together so that users searching for Pudgy World could be routed toward fraudulent domains instead of the legitimate destination. One example cited in the warning was a lookalike domain presented as pudgypengu-gamegifts[.]live.
Once users landed on those pages, the attack shifted from brand imitation to direct wallet capture. The fraudulent sites displayed highly convincing overlays that copied the look of major wallet interfaces and prompted users to enter passwords or seed phrases directly into the webpage. Malwarebytes said the campaign imitated as many as 11 wallet products, including MetaMask, Trust Wallet, Coinbase Wallet, Ledger, Trezor, Phantom, OKX, Magic Eden, Solflare and Uniswap Wallet.
That detail matters because the method relied on a basic but effective deception. A legitimate wallet unlock should happen through the browser extension pop-up or the wallet’s native app, not through a form embedded inside a website. By blurring that distinction, the attackers tried to make fake login prompts look routine to users arriving in a hurry from ads or search results.
The Campaign Was Built to Avoid Easy Detection
Malwarebytes also found that the phishing infrastructure included technical evasions meant to limit exposure to researchers and automated analysis. Obfuscated JavaScript loaders were used to check for sandboxes and virtual machines, delivering the full malicious flow only when the visitor appeared more likely to be a real human target.
The campaign also extended beyond software-wallet users. A fake dialog imitating Trezor Connect was reportedly used to request browser USB permissions, creating a path to further social engineering against hardware-wallet users if they continued through the prompts. That made the scam more dangerous because it adapted itself to multiple wallet habits instead of relying on a single attack pattern.
Any Pudgy World link reached through ads, direct messages, or unfamiliar search results should be treated as hostile unless the URL is independently verified. Malwarebytes advised users never to enter seed phrases or wallet passwords into a webpage and recommended moving funds immediately if credentials were exposed.
The broader takeaway is that high-profile launches now create predictable windows for credential-theft campaigns. When a branded crypto product attracts a rush of new traffic, scammers move quickly to intercept that attention through fake domains, paid ads, and wallet impersonation before users have time to verify what they are seeing. For projects and custodians, that means launch planning now has to include security coordination with ad platforms and faster response to fraudulent search placements.