Crypto Researchers Find Another Undetectable Cross-Platform Wallet Drainer

ModStealer malware targets crypto wallets on Windows, macOS, and Linux, stealing keys and data. Read how it spreads and how to stay safe.

ModStealer malware is becoming one of the most pressing threats to crypto wallets. 

Security researchers discovered that it can now infiltrate systems running Windows, macOS and Linux. Once installed, it extracts sensitive information including wallet credentials, private keys and certificates.

The malware was uncovered by Apple-focused security firm Mosyle. According to their findings, ModStealer avoided detection by most antivirus engines for nearly a month after being uploaded to VirusTotal. 

How ModStealer Operates

Mosyle revealed that ModStealer is a feature-rich infostealer. It comes loaded with code designed to harvest sensitive data from browser-based wallet extensions. 

Targets include popular extensions on Safari and Chromium-based browsers.

On macOS systems, the malware gains persistence by using Apple’s launchctl tool. 

It registers itself as a background agent and silently monitors activity. On all operating systems, it can capture clipboard data, take screenshots and even execute remote commands.

Researchers traced the malware’s server to Finland, even though the infrastructure appears to be routed through Germany.

Fake Job Ads Fuel Malware Distribution

The malware is spreading through fake job recruitment ads. Cybercriminals disguise themselves as recruiters offering technical assessments or test tasks. 

Developers who download these files unknowingly install ModStealer and give attackers access to sensitive data.

This tactic has become increasingly common in Web3 communities. Hacken’s Stephen Ajayi, a technical lead in blockchain security, warned that fake test assignments are now a standard tool for attackers.

He advised handling assignments only in disposable virtual machines that contain no wallets, SSH keys, or password managers.

Advice From Security Experts

Ajayi stressed that users must separate their work and wallet environments. He recommended using a “dev box” for development and a “wallet box” for storing digital assets. 

This compartmentalisation reduces the chance of wallet compromise.

He also pointed out the importance of wallet hygiene. Hardware wallets, offline storage of seed phrases and careful confirmation of wallet addresses are all great strategies for reducing exposure.

Malware-as-a-Service Adds Scale

Researchers believe ModStealer is part of a growing Malware-as-a-Service (MaaS) market. 

Criminals package malware for resale to affiliates, who can then deploy it without technical expertise. This model allows for quick scaling of attacks.

Mosyle noted that ModStealer reflects a wider trend in Mac malware. Infostealers now dominate threats targeting Apple systems, with Jamf reporting a 28% rise this year.

Wider Threats to Crypto Users

The risks extend beyond ModStealer. A recent case pointed out how phishing remains one of the most damaging attack methods. 

Blockchain analytics firm Lookonchain reported that an investor lost $3.05 million in Tether (USDT) after unknowingly approving a malicious transaction.

The investor only checked the first and last few characters of a wallet address. Attackers exploited that habit to redirect funds.

According to security firm CertiK, crypto users lost more than $2.2 billion to hacks, scams, and breaches in the first half of the year. 

Wallet hacks alone accounted for $1.7 billion across just 34 incidents. Phishing scams added over $410 million across 132 attacks.