New Malware Targets Crypto Wallets Through Fake Game Mods

First identified in November, the malware has been distributed through platforms like GitHub, SourceForge, and Google Sites, and in some cases through professionally designed fake websites. Once installed, Stealka can harvest browser autofill data, access the settings and databases of more than 100 browsers, and extract information from 115 browser extensions, including those used for cryptocurrency wallets, password managers, and two-factor authentication services. Separately, US prosecutors charged a 23-year-old Brooklyn resident, Ronald Spektor, with 31 criminal counts related to a phishing scheme that stole approximately $16 million in cryptocurrency from about 100 Coinbase users between April 2023 and December 2024.

Game Cheats Hide Malware Targeting Crypto

Cybersecurity firm Kaspersky uncovered a new strain of malware that poses a threat to cryptocurrency users, gamers, and everyday Windows users. The malware, dubbed “Stealka,” was first identified in November and is classified as an infostealer. This means that its primary purpose is to silently harvest sensitive data from infected systems.

According to Kaspersky, Stealka is being actively distributed by attackers who disguise it as video game cheats, cracks, and mods, particularly those linked to popular titles like Roblox, as well as pirated software for legitimate applications like Microsoft Visio. What makes the campaign especially concerning is the way the malware is hosted and shared. Rather than relying solely on obscure or obviously malicious websites, attackers uploaded Stealka to well-known platforms like GitHub, SourceForge, and Google Sites, giving the files an appearance of legitimacy that can easily mislead unsuspecting users.

In some cases, the operators behind Stealka went even further by creating full fake websites that look professional and trustworthy. Kaspersky researcher Artem Ushkov said that these sites may even be generated or enhanced using artificial intelligence tools, making them harder for users to distinguish from real software distribution pages. Once installed, Stealka can hijack online accounts, steal cryptocurrency, and deploy crypto miners on victims’ machines without their knowledge.

(Source: Kaspersky)

The malware’s most dangerous capabilities are tied to its focus on web browsers built on Chromium and Gecko engines. This puts more than 100 browsers at risk, including widely used options like Chrome, Firefox, Edge, Opera, Brave, and others. Stealka targets browser autofill data, which allows it to capture login credentials, addresses, and payment card information. Beyond that, it specifically hunts for data linked to browser extensions, including those used for crypto wallets, password managers, and two-factor authentication services.

Kaspersky estimates that Stealka can extract information from the settings and databases of 115 browser extensions. Among the roughly 80 crypto wallets targeted are major platforms like Binance, Coinbase, Crypto.com, MetaMask, Trust Wallet, Phantom, and Exodus. Messaging applications including Discord and Telegram, as well as email clients, VPNs, password managers, and gaming clients, are also within Stealka’s reach.

To reduce the risk of infection, Kaspersky advises users to avoid pirated software and unofficial game mods, use reputable antivirus solutions, and rely on dedicated password managers rather than storing sensitive data directly in browsers.

(Source: Kaspersky)

Man Charged in $16M Coinbase Phishing Scheme

Malware is not the only threat targeting crypto users. A 23-year-old man from Brooklyn was indicted on dozens of criminal charges for allegedly orchestrating a large-scale phishing operation that stole roughly $16 million in cryptocurrency from Coinbase users across the United States. 

The Brooklyn District Attorney’s Office announced on Friday that Ronald Spektor, a resident of Sheepshead Bay, faces 31 counts including first-degree grand larceny, money laundering, and related financial crimes stemming from a scheme that allegedly ran for more than a year. Prosecutors say Spektor targeted approximately 100 victims between April 2023 and December 2024 by impersonating a customer support representative for Coinbase. 

(Source: Brooklyn DA)

According to the indictment, he contacted users and warned them that their accounts were under imminent threat from hackers. By exploiting fear and urgency, Spektor allegedly convinced victims to transfer their cryptocurrency holdings into new wallets that he secretly controlled, effectively draining their accounts.

Once the funds were stolen, authorities allege Spektor tried to obscure their origin by laundering the proceeds through crypto mixers, token-swapping services, and online gambling platforms. Investigators say the scheme resulted in devastating losses for some victims, including one California resident who lost more than $1 million and a Virginia victim whose losses exceeded $900,000.

Spektor allegedly operated online under the alias “Ronaldd” and used the handle “@lolimfeelingevil” across platforms. Prosecutors say he also ran a Telegram channel called “Blockchain enemies,” where he openly bragged about his crimes and even admitted to losing as much as $6 million through gambling. Those posts later became part of the evidence used against him.

So far, authorities recovered about $105,000 in cash and roughly $400,000 worth of cryptocurrency. Investigators interviewed more than 70 victims during the probe and ultimately identified close to 100 individuals that were affected by the scheme. 

Coinbase CEO Brian Armstrong acknowledged the indictment in a post on X, and warned scammers that those who target the exchange’s customers will be pursued and held accountable. Blockchain investigator ZachXBT also played a key role in the case after publishing an investigation in November of 2024 when one victim who lost $6 million asked for his help.