StepDrainer drains crypto wallets across 20+ networks

A malware-as-a-service called StepDrainer is siphoning crypto from victims across 20+ blockchain networks, including Ethereum, BNB Chain, Arbitrum, and Polygon. It tricks users with realistic fake Web3 wallet-connection pop-ups, sometimes mimicking Web3Modal, to get approvals for token transfers. StepDrainer misuses real smart-contract tools (notably Seaport and Permit v2) so the approval screens look normal, even showing a “safe” message such as “+500 USDT” despite being fraudulent. Once connected, it prioritizes the most valuable tokens and automatically sends them to attacker-controlled wallets. Researchers say the malicious setup is loaded via dynamic scripts and sourced from on-chain accounts, helping it evade standard security scanning. Separately, researchers also flagged EtherRAT, a malware that targets Windows (via a fake Tftpd64 installer). EtherRAT hides Node.js inside the installer, persists via Windows registry, and uses PowerShell for environment checks, after initially targeting Linux. Cryptographers warn the malware blend signals a continued convergence of traditional malware tooling with crypto theft. The article cites on-chain reporting (Wazz) and a prior report claiming over 500 Ethereum wallets drained in 24 hours, with more than $800K taken, then swapped through ThorChain. Many drained wallets were inactive for 7+ years. Mitigations highlighted: verify the website domain before connecting, review transaction details before signing, and revoke any unlimited token approvals—especially when interacting with unfamiliar sites and wallet prompts.