New malware helps scammers steal crypto login credentials

Crypto scammers are now using a new malware to steal crypto logins from traders and investors in the crypto gaming industry. According to research from cybersecurity firm Kaspersky, the scammers are inserting malware into pirate mods for Roblox and other games to steal crypto login credentials from users.

According to a post from Kaspersky, there is now a new variety of infostealer called Stealka, which it has so far encountered on distribution platforms like GitHub, SourceForge, Softpedia, and sites.google.com. The malware is disguised as unofficial mods, cheats, and cracks for Windows-based games and other apps. Stealka is used by scammers to exfiltrate sensitive login and browser information, which they in turn use to steal digital assets.

Scammers deploy new malware to steal digital assets

The malware primarily targets data contained in browsers such as Chrome, Opera, Firefox, Edge, Yandex, Brave, as well as the settings and databases of over 100 browser extensions. The extensions include digital asset wallets from Binance, Crypto.com, MetaMask, and Trust Wallet. It also targets password managers like LastPass, NordPass, and 1Password, and 2FA apps like Google Authenticator, Authy, and Bitwarden.

In addition, Kaspersky noted that Stealka doesn’t stop with browser extensions, noting that it can also lift encrypted private keys, seed phrase data, and wallet file paths from standalone cryptocurrency wallet apps. This includes applications like MyCrypto, MyMonero, Binance, Exodus, as well as other applications for Bitcoin, Ethereum, Solar, Novacoin, Monero, Dogecoin, and BitcoinABC.

Kaspersky cybersecurity expert Artem Ushkov explained that the new malware was detected by the company’s endpoint solutions for Windows machines in November. The Stealka malware can also steal data and authentication tokens for messaging apps like Discord and Telegram, password managers, email clients like Mailbird and Outlook, note taking applications like StickyNotes on Microsoft, Notezilla, NoteFly, and VPN clients like Windscribe, OpenVPN, and ProtonVPN.

Ushkov details the activities of the malware

According to Ushkov, the malware is based in Russia, targeting mainly users from that region. However, attacks by the malware have also been detected in other countries, including Türkiye, Brazil, Germany, and India,” he added. In view of this threat, Kaspersky has advised users to stay away from ploys by scammers trying to use this malware and others to steal their credentials. They have urged users to stay away from unofficial or pirated mods, noting the need to use antivirus software from reputable companies.

The blog also advised users against storing important and sensitive information in browsers, asking them to employ the use of two-factor authentication wherever available. In addition, they are asked to use backup codes in most situations, urging them not to store these codes on browsers or in text documents. In addition, users are enjoined to be watchful of where they download games and other files from, noting that these scammers play on users’ need to download free files from unofficial sources.

In a popular case mentioned by authorities this week, an entrepreneur based in Singapore lost his entire crypto portfolio after downloading a fake game. The entrepreneur said he came across a beta testing opportunity for Telegram in an online game called MetaToy. He noted that he felt the game was genuine because of some metrics, including the appearance of its website and the activity of its Discord. However, after downloading the game launcher, he unknowingly installed malware, which wiped more than $14,189 in crypto from his system.

While scammers can use Stealka to steal personal info and digital assets, there is no indication that it has done any huge damage, the cybersecurity expert noted. “We are not aware of the amount of crypto that has been stolen using it,” said Ushkov. “Our solutions protect against this threat: all detected Stealka malware was blocked by our solutions.” This means that it remains unknown if scammers have used the malware to steal digital assets and the scale of their theft.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.