Kaspersky: Stealka infostealer targets MetaMask, Coinbase and 80+ wallets via fake game mods

Kaspersky has identified a new infostealer named Stealka, discovered spreading via counterfeit game cheats, mods and pirated software hosted on trusted developer portals (GitHub, SourceForge, Softpedia, Google Sites). The malware requires users to manually download and run malicious installers bundled with fake mods and cracked apps. Once executed on Windows systems, Stealka harvests browser data, saved passwords and crypto wallet artifacts, targeting over 100 Chromium- and Gecko-based browsers (Chrome, Firefox, Edge, Brave, Opera) and more than 80 crypto wallets and extensions — including MetaMask, Coinbase Wallet, Binance Wallet, Phantom and Trust Wallet. It exfiltrates private keys, seed phrases, wallet file paths and extension data (Kaspersky reports it targets 115+ wallet, password manager and 2FA extensions), plus credentials and data from messaging apps (Discord, Telegram), email clients (Outlook, Thunderbird), VPNs (ProtonVPN, Surfshark) and note apps. Some bundles also deploy cryptominers, adding performance and resource risks. Telemetry shows initial detections in Russia with cases in Turkey, Brazil, Germany and India. Kaspersky’s remediation advice for crypto users: avoid pirated or unofficial downloads and game cheat sites; source mods only from verified creators; verify file checksums or digital signatures; keep Windows and apps patched; run reputable antivirus/EDR; use dedicated password managers and enable two-factor authentication; and, for seed phrases/private keys, use hardware wallets or keep them entirely offline. For traders, compromised keys and saved wallet data can cause immediate asset theft and account takeovers, and can accelerate social‑engineering spread through infected contacts — making cautious download practices and hardware wallets critical to reduce short-term loss risk and long-term account security exposure.