Pudgy Penguins Launched A New Game. Crypto Scammers Made A Fake Version

A fake website impersonating Pudgy Penguins’ newly launched Pudgy World browser game is attempting to steal cryptocurrency wallet passwords, cybersecurity firm Malwarebytes Labs warned Tuesday.

In a report, Malwarebytes said the phishing operation, pudgypengu-gamegifts[.]live, uses highly convincing replicas of crypto wallet interfaces to deceive users. “Some features are tied to digital collectibles and in-game items stored in cryptocurrency wallets. That means the official game sometimes asks players to connect a crypto wallet to verify ownership of items or unlock additional features,” Stefan Dasic, senior malware research engineer and report author said.

“The phishing site abuses that step: When a visitor selects their wallet on this fake site, it shows what appears to be that wallet’s own unlock screen. To the user, it looks for all the world like the real crypto wallet software they already trust.”

Phishing remains one of the most widespread forms of cybercrime. According to the FBI’s Internet Crime Complaint Center (IC3), phishing and spoofing scams accounted for 193,407 complaints in 2024, with reported losses exceeding $70 million. It is not known if anyone has fallen victim to this particular site.

What is Pudgy World?

The warning comes a week after the launch of Pudgy World, a free-to-play browser game tied to the Pudgy Penguins NFT brand. The game, which went live on March 10, allows players to explore a virtual world, customize penguin avatars and complete quests, with some features requiring users to connect cryptocurrency wallets.

Pudgy Penguins has grown rapidly since being acquired by CEO Luca Netz in 2022, expanding from an NFT collection into a broader consumer brand with retail products, a mobile game and now a browser-based game. The collection has a floor price of 4.25 ETH ($9,500), according to CoinGecko, far below 88.3% its December 2024 high of 36.33 ETH.

Dasic said the timing of the campaign appears deliberate, coinciding with the game’s launch and the influx of new users unfamiliar with crypto wallet security practices.

“The range of wallets targeted is also significant. The campaign leaves almost no wallet blind spot," he said. "Whether the victim holds Ethereum, Solana, or multi-chain assets, there is a convincing forgery waiting for them.”

“Building 11 wallet-specific UI forgeries is not a trivial undertaking," Dasic added, noting that it suggests either a "well-resourced threat actor" or the reuse of a commercial phishing kit built for this class of attack.

Such tactics are common in crypto-related scams, where attackers register domains that closely resemble legitimate ones or manipulate search ads to appear authentic. For example, fraudsters may send out official-looking emails using a domain with “.qov” instead of “.gov” in the hopes people won’t notice the slight difference.

Pudgy Penguins has previously been targeted by scammers using fake sites. In December 2024, blockchain security firm Scam Sniffer warned that attackers were using malicious Google ads to impersonate Pudgy Penguins platforms and trick users into connecting their wallets.

Users are advised to access official sites only through trusted bookmarks, avoid clicking links from social media or direct messages, and remember that legitimate wallet password prompts do not appear inside webpage content. Malwarebytes also recommended changing wallet passwords immediately if credentials were entered on a suspicious site and considering moving funds to a new wallet if compromise is suspected.

Pudgy Penguins has been approached for comment.