paint-brush
5 New Malware Techniques to Steal Your Crypto (2024)by@obyte
414 reads
414 reads

5 New Malware Techniques to Steal Your Crypto (2024)

by ObyteAugust 22nd, 2024
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Kaspersky Lab discovered a new threat targeting cryptocurrency wallets. The malware was hidden in pirated software available on torrent and pirating websites. It replaces legitimate wallet apps like Exodus and Bitcoin-Qt with infected versions. The cybercriminals behind this scheme use fake but legitimate-looking apps.
featured image - 5 New Malware Techniques to Steal Your Crypto (2024)
Obyte HackerNoon profile picture


Cybercriminals never stop innovating, and they’re especially attracted to cryptocurrencies. Maybe you’re on your merry way exploring the Internet without knowing how many landmines you’re about to step on. It never hurts to be careful and keep up to date on the latest security trends when it’s about protecting your crypto funds.


To give you an idea of how big this evil business is for malicious parties, according to Chainalysis, around $24.2 billion was received by illicit crypto addresses in 2023. Don’t be part of the next number! Let’s see some new malware techniques you should be aware of this year and how to protect yourself against them.

A backdoor in MacOS


It’s not exactly a good idea to download applications from non-official sites, and this is a great example of why. Cybersecurity firm Kaspersky Lab discovered earlier this year a new threat targeting macOS users’ cryptocurrency wallets, which was hidden in pirated software available on torrent and pirating websites.


When users install these seemingly free programs, they are unknowingly allowing malware onto their computers. The initial step involves an app called "Activator," which prompts users to provide administrative access. This gives the malware the necessary permissions to install itself and disable the normal function of the pirated software, tricking users into thinking they need this Activator to make the software work.


Activator app in the backdoor malware. Image by Kaspersky

Once installed, the malware contacts a remote server to download further malicious instructions. These instructions help the malware create a backdoor, giving hackers continuous access to the infected computer. The main goal of this malware is to steal cryptocurrency. It replaces legitimate wallet apps like Exodus and Bitcoin-Qt with infected versions.


These altered apps then capture sensitive information, such as recovery phrases and wallet passwords, and send them to the hackers —effectively draining your crypto funds. A suspicious “Activator” installer has appeared just after you obtained a ‘free’ app? Don’t provide it with access, and uninstall it right away!


Vortax, Web3 Games, and “Markopolo”


The Vortax Campaign is a deceptive malware operation targeting cryptocurrency users, discovered by Recorded Future’s researchers. The cybercriminals behind this scheme use fake but legitimate-looking apps to infect both Windows and macOS devices with information-stealing malware. Posing as a virtual meeting software called Vortax, the app appears credible with a website indexed by search engines, a blog with AI-generated articles, and social media accounts on platforms like X, Telegram, and Discord. The threat actor engages with potential victims in cryptocurrency-themed discussions, directing them to download the Vortax app under the guise of joining a virtual meeting.


Once users follow the provided instructions, they’re redirected to download links that install the Vortax software. However, instead of a functional app, the installation files deliver malware such as Rhadamanthys, Stealc, or Atomic Stealer (AMOS). The Vortax app seems non-functional due to deliberate errors, while in the background, the malware starts stealing sensitive information —including passwords and seed phrases. Further investigation revealed that the Vortax campaign is linked to multiple domains hosting similar malicious applications and fake web3 games, suggesting a well-organized effort by the threat actor, identified as Markopolo.


Markopolo's tactics include leveraging social media and messaging platforms to distribute their malware, also masquerading as brands and games like VDeck, Mindspeak, ArgonGame, DustFighter, and Astration. This strategy not only broadens their reach but also increases the likelihood of users being duped into downloading the malicious software. The campaign’s sophistication and adaptability imply that future attacks may become even more prevalent, highlighting the need for users to exercise caution when downloading third-party software especially if they seem suspiciously insistent about it.


Pytoileur, a trap for Python devs


Sonatype researchers have uncovered a new threat targeting cryptocurrency users through a malicious Python package called “pytoileur.” Disguised as a legitimate API management tool, pytoileur deceives users into downloading it from the Python Package Index (PyPI). Once installed, the package secretly retrieves and installs harmful software designed to steal cryptocurrency by accessing sensitive information stored on the victim’s device.


The malicious package was cleverly hidden within seemingly innocent code. It downloaded a dangerous executable file that, once executed, carried out various malicious activities. These included modifying system settings, maintaining a presence on the device to avoid detection, and, most importantly, attempting to steal cryptocurrency from wallets and accounts associated with popular services like Binance, Coinbase, and Crypto.com. By accessing browser data and other financial details, the malware could siphon off digital assets without the victim's knowledge.


Pytoileur malicious package found by Sonatype

The distribution of pytoileur involved social engineering tactics, including exploiting community platforms like Stack Overflow to lure developers into downloading the package under the guise of solving technical problems. This incident is part of a broader "Cool package" campaign, indicating an ongoing effort by cybercriminals to target cryptocurrency users through sophisticated and evolving methods. Mend.io, another security firm, has identified over 100 malicious packages on PyPI libraries.


Developers can avoid malicious packages by downloading from trusted sources, verifying package integrity, and reviewing the code before use. Staying updated with security advisories and using automated security tools also helps.


P2PInfect, a swarming threat


P2Pinfect, identified by Cado Security, is a sophisticated malware leveraging a peer-to-peer botnet for control. In other words, the malware detects if a computer belongs to a network and infects all of the joined devices to communicate and control each other directly without relying on a central server. Initially appearing dormant, its updated form now includes ransomware and crypto-mining capabilities.

Upon infection, it primarily spreads through vulnerabilities in Redis, a popular database system, allowing the malware to execute arbitrary commands and propagate itself across connected systems. The botnet feature ensures rapid distribution of updates, maintaining an extensive network of compromised devices —in a whole company, for example.


Victims usually encounter P2Pinfect via insecure Redis configurations or through limited SSH (Secure Shell) attempts to manage remote systems with common credentials. Once active on a victim’s system, P2Pinfect installs a crypto miner targeting the Monero cryptocurrency. This miner activates after a brief delay and generates cryptocurrency using the system’s resources, covertly funneling earnings to the attacker’s wallet and slowing the device's capabilities.


Ransomware note in P2PInfect. Image by Cado Security

The ransomware component encrypts (blocks) files and demands a crypto payment to retrieve them, though its effectiveness is limited due to the typical permissions of infected Redis servers. The attacker’s Monero wallet has accumulated approximately 71 XMR, equivalent to about $12,400. This illustrates the financial success of the campaign despite the potentially limited impact of the ransomware due to the typical low-value data stored by Redis. To avoid this malware, remember to secure Redis configurations and regularly monitor for unusual activity.


Fake AggrTrade, and other malicious extensions


The fake AggrTrade Chrome extension, described by the security firm SlowMist, was a malicious tool that tricked users into losing significant amounts of cryptocurrency. The extension masqueraded as a legitimate trading tool (AggrTrade) but was designed only to steal funds. Users unknowingly installed it, which then exploited their access to cryptocurrency exchanges and trading platforms by hijacking sensitive information —passwords and credentials.


The extension functioned by capturing cookies and other session data, which allowed it to mimic users’ logins and conduct unauthorized transactions. This led to the theft of around $1 million in total. It was distributed through deceptive tactics via social media and marketing promotion that lured victims into downloading and installing it, often from unofficial or suspicious sources.

Fake AggrTrade Extension, before it was erased. Image by SlowMist 

This specific threat was taken down already, but it’s just a meager example among numerous attempts. Currently, several other malicious Chrome extensions are posing as genuine trading services aimed at stealing crypto. To protect yourself, only install extensions from trusted sources, regularly check permissions, and monitor your accounts for unusual activity.


Also, remember that all browser extensions are able to track your entire browsing history, see what you are doing on each site, and steal cookies and other private data. Using hardware or paper wallets for substantial amounts and keeping security software updated can also enhance your protection against such threats.


Protection Measures


To protect against crypto-stealing malware like these, you can apply some basic measures:


  • Install from Trusted Sources:Only use extensions and software from reputable sources and official websites. Verify reviews and permissions before installation.
  • Install as little software as possible:before installing another app or browser extension on your desktop computer, think again if you really need it. Maybe you can achieve your goals with the existing software? (It’s safer on mobile platforms where each app is sandboxed, though).
  • Regular Security Checks:Frequently review and remove unused extensions or software. Regularly check for unusual activity in your crypto accounts (online and offline) and system.
  • Use Strong Authentication: Enable two-factor authentication (2FA) on your accounts to add an extra layer of security. In Obyte wallets, you can do this by creating a multidevice account from the main menu or setting a spending password in settings.



  • Employ Anti-Malware Tools:Use up-to-date antivirus and anti-malware tools to detect and block online and offline threats.
  • Secure Your Crypto: Store significant crypto assets in hardware or paper wallets to reduce exposure to online threats. Through the Obyte wallet, you can easily create your own paper wallet by generating a textcoin (twelve random words), writing it down, and then deleting or blocking the software itself until you need to spend the funds.


InsideObyte and beyond, ensure you’re using secure and verified wallets and follow these best practices to protect your assets!



Featured Vector Image by Freepik