Crypto-Stealing Malware Surge via Fake AI and Web3 Startups

Cybersecurity researchers warn of a surge in crypto-stealing malware campaigns that impersonate AI and Web3 startups on social platforms like X, Telegram and Discord. Attackers deploy crypto-stealing malware by luring users to download malicious apps disguised as blockchain games or AI betas via fake websites, GitHub repos and white papers. These social engineering tactics use professional-looking facades—including stolen certificates, fake investor lists and merchandise sites—to boost credibility. On Windows, malicious Electron-based apps profile systems and deploy hidden modules; on macOS, disguised DMG installers drop Atomic Stealer to harvest browser data, wallet credentials and seed phrases. Realst and Atomic Stealer families exfiltrate stolen keys to attacker-controlled servers. The campaigns target wallets linked to past breaches, such as the Mt. Gox hack, and mirror tactics used by CrazyEvil and Traffer Group. Mobile threats like SparkKitty use OCR to extract seed phrases from screenshots, while trojans like Procolored replace wallet addresses to steal BTC. With crypto attacks rising—CertiK reports $2.2bn lost in H1 2025 and Kaspersky notes an 83% jump in crypto phishing—traders should verify software sources, update security tools and use robust wallet protection to mitigate risks.