As cryptocurrencies continue their steep rise in both public interest and market capitalization, it should come as no surprise that hackers are now setting their sights on exploiting a gigantic opportunity. A new threat has recently emerged, referred to as “Cryware,” a form of malware that is designed to collect and exfiltrate data from hot wallets, or non-custodial cryptocurrency wallets, that are stored on common user devices and help complete crypto transactions. 

Cryware and other information-stealing trojans represent a shift in crypto-targeted attacks, helping hackers access hot wallet data and rapidly transfer crypto financial assets to their own wallets. And because they are blockchain transactions, the theft is irreversible. 

CEH (v12) - Certified Ethical Hacking Course

Get trained on advanced methodologies hackers useView Course
CEH (v12) - Certified Ethical Hacking Course

New Forms of Crypto Wallet Theft Emerge

Security has always been a problem for browser-based crypto wallets that store cryptocurrencies like Bitcoin and Ethereum. But the new malware further complicates security matters by targeting wallets that work as browser extensions (some examples are MetaMask and Coinbase Wallet). One of the most prevalent malware threats, called Mars Stealer, is an upgrade from an older trojan from 2019 and targets more than 40 browser crypto wallets with a grabber capability that is designed to steal the user’s private keys. 

This new wallet-stealing malware is spread through many different online channels, including file-hosting websites, torrent clients, and other nefarious downloading sites. It works by targeting the file on a user’s device that stores private keys, steals the information, and deletes any presence of the theft. Mars Stealer can even be purchased on the Dark Web for only $140, which makes for a fairly low barrier to access for potential bad actors. 

The malware currently seems to only target hot wallet credentials from Chrome browsers. Firefox and Opera do not appear to be vulnerable from extension-specific cyberattacks, but they can still be targeted by site credential hijacks. 

Another crypto malware that has been around since 2017 is known as “Clipper.” It works by using a user’s clipboard to replace a destination crypto address with a hacker’s address. A user could easily copy and paste an address in an attempt to pay a friend, for example, but they are really moving funds over to a malicious attacker. Since the crypto address is usually very long, it can be easy to just overlook, even if you try to compare the address character by character. Clipper cryware has been seen in Bitcoin and Ethereum platforms. 

Threats Vectors for Android vs. Apple Mobile Phones

Crypto wallet malware operates a bit differently for Android or Apple phones:

  • Victims that use Android phones are usually new cryptocurrency users who don’t yet have a legitimate wallet app on their phone. Since Android security protocol doesn’t allow malware to overwrite an existing app, users are duped into accessing a fake crypto website (seemingly from Google Play), but it actually downloads from the fake site’s web server.  
  • Similarly, since Apple protocol won’t allow a malicious app download from the Apple App Store, victims are directed to a third-party website that downloads the malware. Hackers send alerts and notifications to convince the user to bypass the iPhone’s built-in protections and install the malicious app without their knowledge.

Free Course: CISSP

Free Introduction to Information SecurityStart Learning
Free Course: CISSP

Tips for Preventing Theft from Malware and Crypto Wallets

Microsoft has been on the front lines to help protect users against crypto wallet malware. The company has provided a number of tips for protecting users’ hot wallets. 

  1. Keep hot wallets locked when the user is not actively trading, and disconnect sites that are connected to the hot wallet. 
  2. Do not store private key information in plain text format (which can be easily stolen), and use care when copying and pasting password information.
  3. Terminate a browser session every time a transaction is completed. 
  4. Be on the lookout for suspicious links to wallet websites and apps, and double-check crypto wallet transactions and approvals. 
  5. Don’t share private key information or seed phrases, and seek out wallets that use multifactor authentication. 
  6. Use hardware wallets that store private keys offline. 
  7. Double check the full file extensions of files that you download. 
Looking forward to a career in Cyber Security? Then check out the Certified Ethical Hacking Course and get skilled. Enroll now!

Learn to Protect Your Assets 

Cyber security certifications are designed to help both individuals and IT security professionals fight back against hackers and their new forms of malware. The CISSP (or Certified Information Systems Security Professional) is considered the gold standard cert in the field of information security. CISSP-certified professionals are highly trained to master all aspects of IT security, including IT architecture, design, management and controls — all the things that are important for protecting against malware and other threats. 

And for those who want to understand the tactics that malicious hackers use from the inside out, they can achieve the Certified Ethical Hacker (CEH) degree. Ethical hackers investigate vulnerabilities in target systems and use the same techniques as malicious hackers, but in a legitimate and legal manner. They are important assets for any company that wants to stay well ahead of cyber threats. 

About the Author

Stuart RauchStuart Rauch

Stuart Rauch is a 25-year product marketing veteran and president of ContentBox Marketing Inc. He has run marketing organizations at several enterprise software companies, including NetSuite, Oracle, PeopleSoft, EVault and Secure Computing. Stuart is a specialist in content development and brings a unique blend of creativity, linguistic acumen and product knowledge to his clients in the technology space.

View More
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.
  • *According to Simplilearn survey conducted and subject to terms & conditions with Ernst & Young LLP (EY) as Process Advisors