Malware is any malicious software designed to infiltrate and harm a system, and crypto-stealing malware specifically targets digital assets. These threats come in many forms, tricking users into installing them through fake apps, phishing links, or compromised software. Once inside a device, they can steal private keys, modify transactions, or deceive victims into approving fraudulent transfers, leading to significant financial losses.
In 2024 alone, wallet drainer malware stole nearly $500 million from over 332,000 victims, marking a sharp rise from the previous year. The largest single theft reached $55.48 million, with the first quarter seeing the highest activity. Hackers and scammers are pretty active, as we can see. That’s why we’ll explore here five relatively new cunning malware types, from deceptive trojans to sneaky transaction-altering clippers.
SparkCat & SpyAgent
You know you should take care of your private keys, preferably outside the digital world. But have you ever felt lazy enough to just take a screenshot of them, and save it inside your gallery? Who will ever know, right? Well, this malware type is the very reason why you should stop doing that. Cybercriminals will know and snatch all your coins.
They’re now using optical character recognition (OCR) technology to scan images stored on your device for sensitive information. OCR-based malware can detect and extract text from screenshots, putting your cryptocurrency recovery phrases, passwords, and other private data at risk. If you’ve ever taken a screenshot of a wallet seed phrase, login credentials, or personal messages, this malware can find it and send it to attackers—giving them full control over your accounts.
Kaspersky identifiedSparkCat, which has been active on both Google Play and the App Store, while McAfee discovered SpyAgent, mainly spreading through Android APKs outside official stores. The two malware strains are suspiciously similar, so they might as well be the same under different names. SparkCat has been found in popular apps like messengers and food delivery services, with over 242,000 downloads, targeting users in the UAE, Europe, and Asia. Meanwhile, SpyAgent has focused on South Korea, with signs of expansion to the UK.
To protect yourself, besides avoiding storing sensitive information in screenshots, only download well-ranked apps from official stores, and be cautious about granting unnecessary permissions. If you suspect an infection, remove the app immediately and use security tools to scan your device.
Fake Job Offers
Are you looking for a job in the crypto industry right now? You may be at risk of being scammed by the criminals behind this type of malware. They create fake job postings on trusted platforms like LinkedIn, CryptoJobsList, and WellFound, luring victims into fake interviews. The process seems professional at first, with initial exchanges happening over email or messaging apps like Telegram and Discord.
However, at some point, the recruiter asks the applicant to download special video conferencing software to complete the interview. This software, often presented as a tool like “Willo,” “Meeten,” or “GrassCall,” is actually a trojan designed to steal personal data and cryptocurrency. Once installed, the malware activates and begins gathering sensitive information from the victim’s device.
Among these malicious programs, Meeten stands out for its ability to steal cryptocurrency directly from browser wallets. Researchers from Cado Security Labs uncovered that Meeten’s malware can collect banking details, browser cookies, and even passwords stored in popular crypto wallets like Ledger and Trezor. GrassCall follows a similar pattern but is linked to a Russian cybercriminal group called Crazy Evil. This group specializes in social engineering attacks, using fake job interviews to gain victims’ trust.
Victims who download the GrassCall software unknowingly install a remote access trojan (RAT) alongside an infostealer. These programs allow attackers to log keystrokes, extract passwords, and drain crypto wallets. Security experts tracking this campaign found that the criminals even rewarded their affiliates with a share of the stolen assets, making it a highly organized operation. To stay safe from such scams, always be cautious when asked to download software from unfamiliar sources, verify recruiters’ identities through official company websites, and use security tools to detect suspicious activity on your devices.
MassJacker
Clippers are a type of malware that specifically targets cryptocurrency transactions by monitoring the clipboard of an infected device. When you copy a wallet address, clippers silently replace it with one controlled by attackers. Since cryptocurrency transactions are irreversible, if you don’t double-check the address before sending funds, your money could be gone for good. Clippers are simple yet highly effective, as they don’t require sophisticated attacks—just an unnoticed swap in your copied text.
MassJacker is a large-scale clipper campaign recently discovered to be using at least 778,531 fraudulent wallet addresses. At the time of analysis by CyberArk, only 423 of the wallets contained any funds, totaling about $95,300, but historical data suggests much larger sums have been stolen. The malware operators seem to rely on a central Solana wallet, which has received over $300,000 so far. MassJacker spreads through pirated software downloads, particularly from a site called pesktop[.]com.
When you run an infected installer (for a movie, a game, a tool, etc.), a hidden script executes a complex chain of malware loaders, eventually injecting MassJacker into a legitimate Windows process to evade detection. To avoid MassJacker and similar threats, be cautious when downloading software, especially pirated programs, as they are a common delivery method for malware. Always verify wallet addresses manually before confirming any transaction to ensure they haven’t been altered.
GitVenom
If you’re an open-source developer using GitHub, you should be extra cautious about the repositories you download. As discovered by Kaspersky, hackers have been spreading malware called GitVenom by creating fake projects that look legitimate. These projects often claim to be useful tools, such as Telegram bots for managing Bitcoin wallets or automation scripts for Instagram. They even come with well-written documentation, AI-generated README files, and artificially inflated commit histories to appear authentic.
However, once you download and run the code, GitVenom silently infects your system, stealing sensitive data, including your browsing history, passwords, and—most importantly—your cryptocurrency wallet information. Once active, GitVenom installs additional malware, including clipboard hijackers (clippers) that replace copied wallet addresses, redirecting transactions to attacker-controlled wallets. So far, cybercriminals have stolen at least 5 BTC, worth around $485,000, with most infections detected in Russia, Brazil, and Turkey.
Don’t just trust a GitHub project because it looks popular—inspect the code, check for unusual activity in commit histories, and be wary of newly created repositories with polished documentation. Running unverified code from GitHub without proper review could compromise your entire development environment and crypto assets.
DroidBot
Described by Cleafy, this malware targets banking and cryptocurrency apps to steal user credentials —and their funds. It has been active since June 2024, mainly in the UK, Italy, France, Spain, and Portugal, with signs of expansion into Latin America. The malware impersonates apps like Google Chrome, Google Play Store, and Android Security to trick users into installation.
Once on a device, it abuses Android’s Accessibility Services to record keystrokes, display fake login screens, intercept SMS messages, and even remotely control infected devices. Some of the affected platforms include Binance, KuCoin, BBVA, Santander, Kraken, and MetaMask. Over 77 targets have been identified, though.
A key characteristic of DroidBot is its operation as a Malware-as-a-Service (MaaS), allowing cybercriminals to rent the malware for $3,000 per month. At least 17 affiliate groups use the malware, each customizing it to attack specific targets. Researchers believe the malware’s creators are Turkish, as suggested by language settings in leaked screenshots. So far, 776 infections have been confirmed, mostly in Europe.
DroidBot’s infection vectors primarily rely on social engineering tactics, tricking users into downloading the malicious app through fake security updates or cloned applications. Once installed, it can remotely control the device, execute commands, and even darken the screen to hide its activity. Always be careful with the software you’re installing!
Protect Yourself Against Crypto-Stealing Malware
It’s necessary to stay vigilant in the online world. Likewise, you can take some preventive measures against potential attacks.
- Avoid downloading apps from unofficial sources to reduce malware risks.
-
Regularly update your OS and apps to patch vulnerabilities. Always keep proper security tools (antivirus, antispyware, etc.)
-
When pasting crypto addresses, monitor your clipboard activity to detect unauthorized modifications. In Obyte, you can avoid crypto addresses and instead send funds __through textcoins__or attestations.
-
Keep your private keys outside the digital world. In Obyte, it’s also possible to __erase the words__from the wallet after writing them down physically.
-
Enable two-factor authentication (2FA) for all your accounts. In Obyte wallets, you can do this by creating a multidevice account from the Global Settings.
-
**Limit browser and app permissions to prevent potential attacks.**If you need to download an app, check its rank and number of downloads (legitimate apps often have thousands and millions of downloads.)
-
Verify GitHub repositories before downloading code.
-
Use well-known software tools for job interviews, instead of downloading new brands that you’ve never heard of before. If your potential employer insists, suspect them and research more about them.
-
Stay informed and updated on new security and crypto trends from reliable sources!
Featured Vector Image by Freepik
