The Good Tech Companies - 2025 Has Already Brought a Host of New Crypto-Stealing Malwares—Here's 5 to Watch Out For
Episode Date: April 12, 2025This story was originally published on HackerNoon at: https://hackernoon.com/2025-has-already-brought-a-host-of-new-crypto-stealing-malwaresheres-5-to-watch-out-for. We'...ll explore here five relatively new crypto-stealing malware types, from screenshot and clipboard stealers to fake video conferencing software. Let's go! Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #malware-threat, #crypto-stealing-malware, #obyte, #sparkcat-and-spyagent, #massjacker, #web3, #good-company, #hackernoon-top-story, and more. This story was written by: @obyte. Learn more about this writer by checking @obyte's about page, and for more stories, please visit hackernoon.com. Malware is any malicious software designed to infiltrate and harm a system. In 2024 alone, wallet drainer malware stole nearly $500 million from over 332,000 victims. The largest single theft reached $55.48 million, with the first quarter seeing the highest activity.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
2025 has already brought a host of new crypto stealing malwares,
here's 5 to watch out for, by Obite. Malware is any malicious software designed to infiltrate
and harm a system, and crypto stealing malware specifically targets digital assets.
These threats come in many forms, tricking users into installing them through fake apps, phishing links, or compromised software. Once inside a device, they can steal
private keys, modify transactions, or deceive victims into approving fraudulent transfers,
leading to significant financial losses. In 2024 alone, wallet-drainer malware stole nearly
$500 million from over 332,000 victims,
marking a sharp rise from the previous year. The largest single theft reached $55.48 million,
with the first quarter seeing the highest activity. Hackers and scammers are pretty
active, as we can see. That's why we'll explore here 5 relatively new cunning malware types,
from deceptive trojans to sneaky transaction
altering clippers.
Spark cat and spy agent, you know you should take care of your private keys, preferably
outside the digital world.
But have you ever felt lazy enough to just take a screenshot of them, and save it inside
your gallery?
Who will ever know, right?
Well, this malware type is the very reason why you should stop doing that.
Cybercriminals will know and snatch all your coins.
They're now using optical character recognition, OCR, technology to scan images stored on your
device for sensitive information.
OCR-based malware can detect and extract text from screenshots, putting your cryptocurrency
recovery phrases, passwords, and other private data at risk.
If you've ever taken a screenshot of a wallet seed phrase, log in credentials, or personal cryptocurrency recovery phrases, passwords, and other private data at risk.
If you've ever taken a screenshot of a wallet seed phrase, login credentials, or personal
messages, this malware can find it and send it to attackers, giving them full control
over your accounts.
N. Kaspersky identified SparkCat, which has been active on both Google Play and The App
Store, while McAfee discovered Spy Agent, mainly spreading through Android
APKs outside official stores.
The two malware strains are suspiciously similar, so they might as well be the same under different
names.
SparkCat has been found in popular apps like messengers and food delivery services, with
over 242,000 downloads, targeting users in the UAE, Europe, and Asia. Meanwhile, SpyAgent has focused on South Korea, with signs of expansion to the UK.
To protect yourself, besides avoiding storing sensitive information in screenshots, only
download well-ranked apps from official stores, and be cautious about granting unnecessary
permissions.
If you suspect an infection, remove the app immediately and use security tools to scan your device.
Fake job offers. Are you looking for a job in the crypto industry right now?
You may be at risk of being scammed by the criminals behind this type of malware.
They create fake job postings on trusted platforms like LinkedIn, Crypto Jobs List, and Wellfound, luring victims into fake interviews. The process seems professional at first, with initial exchanges happening over email or
messaging apps like Telegram and Discord.
However, at some point, the recruiter asks the applicant to download special video conferencing
software to complete the interview.
This software, often presented as a tool like Willow, Medan, or Grascal, is actually a trojan
designed to
steal personal data and cryptocurrency. Once installed, the malware activates and begins
gathering sensitive information from the victim's device. And among these malicious programs,
Medan stands out for its ability to steal cryptocurrency directly from browser wallets.
Researchers from Cato Security Labs uncovered that Medan's malware can collect banking details, browser cookies, and even passwords stored in popular
crypto wallets like Ledger and Trezor. Grascall follows a similar pattern but
is linked to a Russian cyber-criminal group called Crazy Evil. This group
specializes in social engineering attacks, using fake job interviews to
gain victims' trust. Victims who download the grass-call software unknowingly install a remote-access trojan
— RAT — alongside an infostealer.
These programs allow attackers to log keystrokes, extract passwords, and drain crypto wallets.
Security experts tracking this campaign found that the criminals even rewarded their affiliates
with a share of the stolen assets, making it a highly organized operation. To stay safe from such scams, always be cautious
when asked to download software from unfamiliar sources, verify recruiters' identities through
official company websites, and use security tools to detect suspicious activity on your
devices.
Mass jacker, clippers are a type of malware that specifically targets cryptocurrency transactions
by monitoring the clipboard of an infected device.
When you copy a wallet address, clippers silently replace it with one controlled by attackers.
Since cryptocurrency transactions are irreversible, if you don't double-check the address before
sending funds, your money could be gone for good.
Clippers are a simple yet highly effective,
as they don't require sophisticated attacks, just an unnoticed swap in your copied text.
EnMass Jacker is a large-scale clipper campaign recently discovered to be using at least 778,531
fraudulent wallet addresses. At the time of analysis by CyberArk, only 423 of the wallets contained any funds, totaling
about $95,300, but historical data suggests much larger sums have been stolen.
The malware operators seem to rely on a central Solana wallet, which has received over $300,000
so far.
Massjacker spreads through pirated software downloads, particularly from a site called pesktop.com,
when you run an infected installer, for a movie, a game, a tool, etc. A hidden script
executes a complex chain of malware loaders, eventually injecting Massjacker into a legitimate
Windows process to evade detection. To avoid Massjacker and similar threats, be cautious
when downloading software, especially pirated programs,
as they are a common delivery method for malware. Always verify wallet addresses manually before
confirming any transaction tone sure they haven't been altered. Git Venom. If you're an open-source
developer using GitHub, you should be extra cautious about the repositories you download.
As discovered by Kaspersky, hackers have been spreading malware
called Git Venom by creating fake projects that look legitimate. These
projects often claim to be useful tools, such as Telegram bots for managing
Bitcoin wallets or automation scripts for Instagram. They even come with well
written documentation, AI-generated readme files, and artificially inflated
commit histories to appear authentic. And however, once you download and run the code, Git Venom silently infects your system,
stealing sensitive data, including your browsing history, passwords, and, most importantly,
your cryptocurrency wallet information. Once active, Git Venom installs additional malware,
including clipboard hijackers, clippers, that replace copied wallet addresses,
redirecting transactions to attacker-controlled wallets.
So far, cybercriminals have stolen at least 5 BTC, worth around $485,000, with most infections
detected in Russia, Brazil, and Turkey.
Don't just trust a GitHub project because it looks popular, inspect the code, check
for unusual activity and commit histories, and be wary of newly created repositories
with polished documentation.
Running unverified code from GitHub without proper review could compromise your entire
development environment and crypto assets.
DroidBot, described by Clifi, this malware targets banking and cryptocurrency apps, ToeSteal
user credentials
and their funds.
It has been active since June 2024, mainly in the UK, Italy, France, Spain, and Portugal,
with signs of expansion into Latin America.
The malware impersonates apps like Google Chrome, Google Play Store, and Android Security
to trick users into installation.
Once on a device, it abuses Android's accessibility services to record keystrokes, display fake login screens,
intercept SMS messages, and even remotely control infected devices.
Some of the affected platforms include Binance, KuCoin, BBVA, Santander, Kraken, and Metamask.
Over 77 targets have been identified, though.
Not key characteristic of DroidBot is its operation as a malware-as-a-service, MOS,
allowing cybercriminals to rent the malware for $3,000 per month.
At least 17 affiliate groups use the malware, each customizing it to attack specific targets.
Researchers believe the malware's creators are Turkish, as suggested by language settings
in leaked screenshots.
So far, 776 infection shave been confirmed, mostly in Europe.
Droidbot's infection vectors primarily rely on social engineering tactics, tricking users
into downloading the malicious app through fake security updates or cloned applications.
Once installed, it can remotely control the device, execute commands, and even darken the screen to
hide its activity. Always be careful with the software you're installing. Protect
yourself against crypto stealing malware. It's necessary to stay vigilant in the
online world. Likewise, you can take some preventive measures against potential
attacks. Avoid downloading apps from unofficial sources to reduce malware risks. Regularly update
your OS and apps to patch vulnerabilities. Always keep proper security tools,
antivirus, anti-spyware, etc. When pasting crypto addresses, monitor your clipboard
activity to detect unauthorized modifications. In obite, you can avoid
crypto addresses and instead send funds
underscore underscore through textcoins underscore underscore or attestations. N. Keep your private
keys outside the digital world. In obite, it's also possible to underscore underscore erase the
words underscore underscore from the wallet after writing them down physically. N. Enable two-factor
authentication, 2FA, for all your accounts.
In Obyte wallets, you can do this by creating a multi-device account from the
global settings. En, limit browser and app permissions to prevent potential
attacks. If you need to download an app, check its rank and number of downloads.
Legitimate apps often have thousands and millions of downloads. En, verify
GitHub repositories before downloading code.
N. Use well-known software tools for job interviews, instead of downloading new brands that you've
never heard of before.
If your potential employer insists, suspect them and research more about them.
N. Stay informed and updated on new security and crypto trends from reliable sources.
Featured Vector by FreePic, and thank you for listening to this Hacker Noon story, read by Artificial Intelligence.
Visit hackernoon.com to read, write, learn and publish.