Crypto-targeting malware is the software side of the threat model for a wallet user. The host machine is the surface, the wallet is the asset, and the malware family is the specific tool an attacker uses to bridge from one to the other. Different families target different parts of the surface, so the defense for each looks different in practice.
This article covers the malware-class taxonomy that maps to crypto activity, the named families and verified operational status of each as of May 2026, the DPRK-attributed campaigns that anchor the threat in named incidents and dated amounts, and the ranked defenses that close the gap between a clean host machine and a drained wallet.
What is crypto-targeting malware and how is it categorized?
Crypto-targeting malware is any malicious software whose purpose is to extract, redirect, or extort cryptocurrency from a victim. The taxonomy splits cleanly into six classes by attack target: clipboard hijackers (clippers), information-stealers and wallet-stealers, cryptojackers, ransomware that demands crypto payment, on-chain drainers, and trojanized wallet apps or browser extensions.
Each class has a different point of attack and a different defense profile. Clippers run on the host and intercept the moment a wallet address is pasted. Info-stealers run on the host for bulk credential harvesting (browser-saved passwords, session cookies, MetaMask extension storage, hot-wallet files on disk). Cryptojackers silently mine cryptocurrency using stolen CPU or GPU cycles. Ransomware encrypts files and demands a crypto payment. Drainers initiate on-chain transactions immediately once they have wallet access. Trojanized wallet apps and browser extensions impersonate legitimate downloads and capture seed phrases or hot-wallet keys during normal use.
A few classes overlap in practice. Lumma Stealer, RedLine, and Vidar are info-stealers that also include clipboard-monitoring features, which puts them across the stealer and clipper categories at once. AMOS / Atomic macOS Stealer targets 50+ crypto wallets plus Keychain, which puts it across stealer and drainer categories. The class label is useful for defense planning, not for a strict either-or sort.
The 2024-2026 threat landscape moved at the family level even as the class taxonomy stayed stable. Several major info-stealer infrastructures were disrupted by international law enforcement, and several DPRK-attributed campaigns delivered the largest crypto-theft totals on record. Chainalysis tracked $2.02 billion in DPRK-attributed cryptocurrency theft during 2025, which represented 76 percent of all service compromises that year and a 51 percent increase year-over-year (source: Chainalysis 2025 crypto hacking and stolen funds analysis). The remaining sections work through the classes in order.
How do clipboard hijackers and address-replacement clippers work?
Clipboard hijackers sit on the host machine and watch the clipboard for cryptocurrency-shaped strings. When the user copies a wallet address for a withdrawal form, hot-wallet send dialog, or DeFi UI, the clipper detects the address pattern and swaps it for an attacker-controlled address before the user pastes. The user often sends to the attacker's address without noticing the swap.
The technique is catalogued as T1115 Clipboard Data in the MITRE ATT&CK framework, with the clipboard-modification variant explicitly called out for cryptocurrency theft (source: MITRE ATT&CK T1115 Clipboard Data). The mechanism is hard to mitigate with preventive controls because clipboard reading and writing is a normal system feature; the defense lives at the user-discipline layer (paste and visually verify before broadcast).
Laplas Clipper is the named family that pushed this technique forward. First observed in late 2022, Laplas runs as a subscription service at roughly $549 per year for the operator panel, and supports address replacement for Bitcoin, Ethereum, Litecoin, Monero, Solana, Cardano, Tron, and a dozen other chain formats plus Steam Trade URLs. Laplas distinguishes itself from earlier clippers by returning a replacement Bitcoin address whose first and last several characters match the address copied by the victim, which defeats casual visual inspection of just the start and end of the string.
Several stealer families ship with clipper functions, which means the boundary between the two classes is porous. Lumma Stealer, RedLine, and Vidar all monitor clipboard contents as part of their broader collection capability. For the detailed walkthrough of how address-poisoning works at the wallet UI level, see clipboard hijacking and address poisoning. The malware class here is the host-side software that drives the clipboard substitution; the social-engineering side that drives the user to paste a manipulated address from poisoned history lives in the address-poisoning article.
What are info-stealers and wallet stealers, and which families are operational in 2026?
Information-stealers are commodity malware-as-a-service families that exfiltrate browser-saved credentials, session cookies, browser-extension storage, autofill data, files matching wallet-software signatures, and system metadata to an attacker-controlled command and control server. The MITRE catalogues the browser-credential extraction step as T1555.003 Credentials from Web Browsers (source: MITRE ATT&CK T1555.003).
Several stealer families ran the 2023-2024 logs market before law enforcement intervened. RedLine and MetaStealer infrastructure was disrupted by Operation Magnus on October 28, 2024, a joint Eurojust-coordinated action involving Dutch, US, UK, Belgian, Portuguese, and Australian authorities. The operation seized domains, servers, and Telegram channels, and unsealed a US indictment against developer Maxim Rudometov, a Russian national facing charges carrying a maximum 35-year sentence (source: The Cyber Express on Operation Magnus). Flashpoint research found RedLine and MetaStealer had been responsible for roughly 64 percent of all infostealer-infected devices in 2024 before the takedown.
Lumma Stealer (LummaC2) was disrupted in May 2025 by Microsoft's Digital Crimes Unit working with the US Department of Justice. A court order from the US District Court of the Northern District of Georgia dated May 13, 2025 authorized Microsoft to seize and sinkhole roughly 2,300 malicious domains forming the backbone of the Lumma command-and-control network. Microsoft documented over 394,000 infected Windows machines between March 16 and May 16, 2025 (source: Microsoft on disrupting Lumma Stealer). Lumma resurfaced in June and July 2025 with new infrastructure per Trend Micro. The pattern repeats across the disruption record: takedowns reduce volume temporarily without removing the family from the market.
Vidar Stealer filled the post-Lumma vacuum. Vidar 2.0, announced October 6, 2025, was rewritten in C with multi-threaded parallel data theft and a $300 lifetime license that priced below the Lumma rate. Raccoon Stealer also remains active under successor ownership, though core operator Mark Sokolovsky was arrested in the Netherlands in March 2022, extradited to the US in February 2024, and sentenced to 60 months in October 2024.
The macOS-specific stealer story centers on Atomic macOS Stealer (AMOS). AMOS is sold on Telegram as a malware-as-a-service subscription at roughly $1,000 per month and targets at least 50 crypto wallets including Electrum, MetaMask, Coinbase, Exodus, Atomic, and Binance, plus Keychain passwords and system credentials. Distribution shifted across 2024-2026 from malvertising (fake ads for Arc Browser and Notion) toward cracked-software Reddit campaigns and AI-extension-poisoning vectors. Trend Micro's MDR analysis of recent samples found AMOS had evolved into trojan-style persistence with anti-VM evasion and hardware-wallet-app trojanization. For software wallets context on why hot-wallet files on disk are a prime stealer target, see the software-wallets article; the social-engineering delivery side lives in phishing attacks.
The table below maps the seven malware families that matter most for crypto users across 2026: classification, disruption status, current operational state, and primary platform.
Family | Class | Platform | Disruption | 2026 status |
|---|---|---|---|---|
RedLine | Info-stealer + clipper | Windows | Operation Magnus, Oct 28, 2024 (Eurojust-coordinated; Maxim Rudometov indicted) | Largely dismantled; affiliate logs market disrupted |
MetaStealer | Info-stealer | Windows | Operation Magnus, Oct 28, 2024 | Largely dismantled alongside RedLine |
Lumma Stealer (LummaC2) | Info-stealer + clipper | Windows | Microsoft DCU + DOJ takedown May 13, 2025 (~2,300 domains sinkholed) | Resurfaced Jun-Jul 2025 with new infrastructure |
Vidar Stealer | Info-stealer + clipper | Windows | None | Vidar 2.0 announced Oct 6, 2025 ($300 lifetime, C-rewrite, multi-threaded); active |
Raccoon Stealer | Info-stealer | Windows | Sokolovsky arrest Mar 2022 / extradition Feb 2024 / 60-month sentence Oct 2024 | Active under successor ownership |
Atomic macOS Stealer (AMOS) | Info-stealer + drainer + trojan | macOS | None | Active; ~$1K/mo MaaS subscription; 50+ wallets targeted; anti-VM + trojanization 2026 |
Hive ransomware | Ransomware | Cross-platform | FBI 7-month infiltration Jul 2022-Jan 2023; takedown Jan 26, 2023 | Dismantled |
LockBit | Ransomware-as-a-service | Cross-platform | Operation Cronos Feb 19, 2024; Khoroshev unmasking May 7, 2024 | LockBit 5.0 surfaced 2025; further breach May 2025 |
BlackCat / ALPHV | Ransomware-as-a-service | Cross-platform | Exit-scammed affiliates Mar 2024 after ~$22M Change Healthcare payment | Defunct |
Two patterns dominate the table. Disruption reduces a family temporarily without removing the class from the market; Lumma's May 2025 takedown was followed by Vidar 2.0 in October 2025, and BlackCat's March 2024 exit was followed by LockBit 5.0 in 2025. And cross-platform exposure is uneven: Windows carries the bulk of the stealer market, but AMOS demonstrates that macOS is no longer the safer surface for hot-wallet holders.
How do ransomware, cryptojacking, and DPRK-attributed campaigns differ from drainers?
Ransomware encrypts user files and demands a cryptocurrency payment for the decryption key. Cryptojacking silently mines cryptocurrency on the victim's hardware. DPRK-attributed campaigns target exchanges and wallets directly for state-sponsored theft of crypto assets. Drainers initiate on-chain transactions the moment they have wallet access, bypassing the credential-harvesting step of stealers entirely. Each shows up in 2024-2026 with different operational patterns.
Ransomware groups saw heavy law-enforcement pressure. The FBI infiltrated the Hive ransomware infrastructure for roughly seven months between July 2022 and January 2023, distributing more than 1,300 decryption keys to current and previous victims before seizing the gang's leak sites and command servers in a coordinated takedown announced January 26, 2023 (source: DOJ on disrupting Hive ransomware). LockBit infrastructure was disrupted by Operation Cronos on February 19, 2024, in a UK National Crime Agency-led coalition that later unmasked LockBitSupp as Russian national Dmitry Khoroshev on May 7, 2024 (source: NCA on Operation Cronos). LockBit 5.0 surfaced in 2025 before suffering a further internal breach in May 2025 that exposed affiliate panels. BlackCat / ALPHV apparently exit-scammed its affiliates in March 2024 after a roughly $22 million payment from Change Healthcare.
Cryptojacking sits in a different category because the victim usually does not know a compromise occurred. XMRig is the open-source Monero-mining engine that most cryptojacking campaigns repurpose. Activity resurged in 2025 alongside a Monero price rally, and Trellix documented a sophisticated 2026 campaign distributing customized XMRig miners through deceptive installers masquerading as free premium office productivity software. The economic effect on the victim is metered electricity and degraded performance, not direct asset theft.
DPRK-attributed campaigns sit at the high end of the threat scale. The FBI and US Treasury OFAC attributed the March 2022 Ronin Network bridge hack to Lazarus Group and APT38 on April 14, 2022; the attacker compromised five of nine validator nodes via a fake-job-interview social-engineering vector and moved 173,600 ETH plus 25.5 million USDC, roughly $625 million at the time. The June 2023 Atomic Wallet incident affected fewer than one percent of monthly users per Atomic's June 3 statement, with Elliptic tracing more than $100 million across 5,500-plus affected wallets to Lazarus. The largest single crypto theft on record came on February 21, 2025, when North Korean actors stole approximately $1.5 billion from Bybit by injecting malicious JavaScript into the Safe{Wallet} UI used in Bybit's multisignature cold-to-hot transfer flow; the FBI refers to this cluster as TraderTraitor (source: FBI IC3 PSA on the Bybit hack). That single incident drove the 2025 DPRK figure of $2.02 billion, which Chainalysis reported as 76 percent of all service compromises that year.
What are the browser-extension and fake-app risks for wallet users?
Browser-extension and fake-app risks split into three patterns: malicious extensions published directly on Chrome Web Store or Firefox Add-ons or VS Code Marketplace; trojanized clones of legitimate wallet apps on iOS App Store, Google Play, or via direct download; and supply-chain compromise of an otherwise-legitimate extension or app through a developer-account breach or a leaked publishing API key.
Direct-publication malicious extensions appear repeatedly. The GlassWorm campaign, active October 2025 onward, targets macOS developers via malicious VS Code and OpenVSX extensions that deliver trojanized Ledger Live and Trezor Suite plus Keychain password theft. The November 2025 prettier-vscode-plus campaign impersonated the legitimate Prettier formatter on the official VS Code Marketplace, delivering the Anivia loader and OctoRAT remote access trojan. A fake WalletConnect Protocol drainer uploaded to Google Play in March 2024 and disclosed by Check Point Research in September 2024 stole over $70,000 from more than 150 victims across five months before takedown.
Trojanized clones of legitimate wallet apps reach the major app stores. Trezor warned users about a fake Trezor app on Google Play in 2021 that exfiltrated seed phrases. The April 2026 fake Ledger Live app published under the name "Leva Heal Limited" sat on the Apple App Store for roughly two weeks before Apple removed it, draining approximately $9.5 million from more than 50 victims. The defense against this category lives in download verification; see verify wallet software for the signature-checking and publisher-verification workflow.
Supply-chain compromise of a legitimate extension is the hardest case because the extension was real before the compromise. The December 2025 Trust Wallet Chrome extension breach is the canonical example: a leaked Chrome Web Store API key let an attacker push version 2.68 of the legitimate Trust Wallet extension with embedded code that exfiltrated user mnemonic phrases. Roughly $7 million was stolen from users who had installed the extension legitimately and received the malicious update through normal Chrome auto-update.
What are the practical risks and the ranked defenses for crypto users?
Six practical risks track the malware-class taxonomy: clipper-driven address substitution at paste, info-stealer extraction of browser credentials or hot-wallet files, drainer execution against a compromised hot wallet, ransomware encryption of files including hot-wallet backups, cryptojacking that degrades host performance, and trojanized-app capture of seed phrases. The defenses ranked below work across all six classes.
Hardware wallets with physical-button confirmation are the highest-impact defense for self-custody. A FIDO2 / WebAuthn key paired with the exchange account is the equivalent for centralized-exchange use. Neither defeats every malware class on its own, but each closes the worst outcome (remote signing of an unauthorized transaction, or login from a captured credential). Application allowlisting via Windows SmartScreen or macOS GateKeeper closes the installer entry point that delivers most stealers and drainers. A separate browser profile, or a separate machine dedicated to wallet activity, isolates the wallet surface from the casual-browsing surface where most infections originate. Clipboard validation discipline (paste, visually verify the first and last six characters against an external reference, then send) closes most clippers. Traditional AV and EDR catch many but not all of these families, especially freshly-rewritten Vidar 2.0 and AMOS variants from late 2025 forward.
Network-layer defenses pair with host-layer defenses. A VPN does not protect against host-side malware, but the VPN and network security layer matters when the host machine is also exposed to network-side attacks. The public WiFi crypto risks article covers the network-attack surface that compounds host malware risk when both are present. Mobile-device hygiene that pairs with malware defense lives in mobile wallet safety, relevant for the iOS and Android trojanized-app vector. For the physical-confirmation defense that closes the drainer outcome, see hardware wallet setup.
From Blofin's operational perspective, malware-driven account compromise surfaces in three patterns the risk system can see even when host-machine infection is invisible to the exchange. A withdrawal address whose first and last characters match a previously-paste pattern but whose middle bytes differ flags Laplas-style clipper substitution. A sudden withdrawal to a destination flagged on AbuseIPDB threat feeds or the OFAC SDN list triggers an automatic hold. Account access from an ASN block the account has never logged in from before flags potential info-stealer-driven takeover. The same automation pauses both the genuine user and the actual attacker, which is why hardware-key authentication and hardware-wallet physical-button confirmation matter more than detection at the exchange layer alone.
What should you do if you suspect a malware infection on a wallet-using machine?
A practical incident response covers five steps in order: disconnect, transfer remaining assets to a fresh address from a clean device, rotate exchange credentials and revoke sessions, reimage the suspect machine, and replan with hardened defaults. Asset protection comes before evidence preservation because the wallet is bearer-instrument value. Reimaging first loses both the assets and any attribution trail.
Disconnect the suspect machine from the network immediately. Pull the WiFi or Ethernet, do not just turn off the radio in software. This stops further exfiltration of credentials and wallet state, and it stops a drainer from broadcasting a queued transaction. Power-off is a reasonable second step but is not strictly required.
Transfer remaining hot-wallet assets to a fresh address from a different, known-clean device. Use a hardware wallet if you have one and the seed for the suspect hot wallet was generated outside the suspect machine. If the seed was created on the suspect machine, assume the seed itself is compromised and move to a new wallet with a new seed generated on the clean device. Do not transfer from the suspect machine; the clipper may swap the destination address and your "rescue" transaction goes to the attacker.
Rotate exchange credentials from a clean device. Change the password, revoke all active API keys, revoke browser session cookies in the exchange account settings, re-enroll FIDO2 / WebAuthn keys, and reset email-account access if the same machine handled exchange email. The session-cookie revocation step matters most because info-stealers exfiltrate the cookie, which can authenticate without the password. Background terminology lives in the crypto wallet glossary.
Reimage the suspect machine before connecting it to anything sensitive. Full operating-system reinstall from a verified ISO, not a system restore; restoring from a backup risks reinstalling the malware if the backup was taken after infection. Replan with hardened defaults: allowlisting on, browser separation between wallet and casual use, hardware wallet for self-custody, hardware key for exchange auth, and clipboard validation for every send.
Frequently asked questions
Is antivirus software enough to protect a crypto wallet?
No. Antivirus software catches many but not all crypto-targeting malware families, especially against freshly-rewritten variants like Vidar 2.0 (October 2025) or post-update AMOS samples from 2026, which often score low on VirusTotal at first appearance. AV is one layer of a defense stack that should also include hardware-wallet physical-button confirmation, hardware-key authentication on exchange accounts, application allowlisting, separate browser profiles for wallet activity, and clipboard validation discipline. Relying on AV alone leaves a meaningful gap because the wallet value is bearer-instrument-class and a single compromise can drain everything.
Does a hardware wallet protect me from info-stealers like RedLine or Lumma?
Mostly yes for the on-chain assets, with caveats. A hardware wallet that requires a physical-button press to confirm every outgoing transaction prevents an info-stealer from remote-signing a withdrawal even when the host machine is fully compromised, because the stealer cannot press the button. The host machine can still display a different transaction than the one being signed (always verify the destination and amount on the hardware-wallet screen, not the host screen). The seed phrase is also at risk if it was ever typed into the host machine; if the host is compromised, assume the seed entry was logged, and rotate to a fresh wallet with a new seed generated on a clean device.
Are the major info-stealer families still operational after the 2024-2025 takedowns?
Several are in a degraded state but the broader ecosystem is intact. RedLine and MetaStealer infrastructure was disrupted by Operation Magnus on October 28, 2024, with developer Maxim Rudometov indicted in the US. Lumma / LummaC2 infrastructure was disrupted by Microsoft and the US DOJ in May 2025 with roughly 2,300 domains seized, but the family resurfaced in June and July 2025 with new infrastructure per Trend Micro. Vidar 2.0 (October 2025, rewritten in C) and Raccoon Stealer successor variants filled the gap as cheaper alternatives. Atomic macOS Stealer remains operational and evolved into trojan-style persistence on macOS through 2025-2026. The class of threat persists even when specific family infrastructure is taken down.
How can I tell if my clipboard has been hijacked when sending crypto?
The defense is procedural rather than detection-based: paste the destination address into the wallet send field, then visually verify at least the first six and last six characters of the address against an external reference (the address as it appears in the recipient's profile, an email, or another non-clipboard channel) before pressing send. Laplas-style clippers match the first and last several characters of the original Bitcoin address, so verifying only the very first and very last character is not enough; widen the verification window to six on each side at minimum. For Ethereum addresses, where Laplas often does not match the format, the difference is usually obvious. If the pasted address differs from the source address in any character, treat the host machine as infected and follow the §7 incident-response steps.
What should I do first if I think a wallet-using machine has malware?
Disconnect from the network first, then transfer remaining hot-wallet assets from a different known-clean device to a fresh address. Do not attempt to transfer from the suspect machine even if it still seems to work, because a clipper may substitute the destination address. After assets are safe, rotate exchange credentials and revoke active sessions from the clean device, then reimage the suspect machine with a fresh operating-system install from a verified source, not from a backup that may carry the infection forward. Replan defenses with hardware-wallet confirmation, hardware-key authentication, application allowlisting, and a dedicated wallet browser profile before resuming wallet activity.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include the MITRE ATT&CK Enterprise techniques T1115 Clipboard Data and T1555.003 Credentials from Web Browsers, the FBI Internet Crime Complaint Center public service announcement on North Korea responsibility for the Bybit hack, the Microsoft blog post on the global action against Lumma Stealer, The Cyber Express coverage of Operation Magnus against RedLine and MetaStealer, the UK National Crime Agency announcement on Operation Cronos against LockBit, the US Department of Justice disruption of the Hive ransomware variant, and the Chainalysis 2025 crypto hacking and stolen funds analysis. All facts independently verified against cited documentation current as of May 2026.
This article is for informational purposes only and does not constitute financial advice, investment guidance, or a recommendation to buy, sell, or hold any digital asset. Cryptocurrency markets involve significant risk and you should conduct your own research and consult qualified professionals before making investment decisions. Blofin Academy content reflects the state of public information at time of publication; protocol parameters, fees, and ecosystem data change frequently.