New Malware ‘ModStealer’ Targets Crypto Wallets

What Researchers Found

A newly discovered malware dubbed ModStealer is targeting cryptocurrency users across macOS, Windows, and Linux, according to security firm Mosyle. The malware went undetected by major antivirus tools for almost a month later than being uploaded to VirusTotal, highlighting gaps in signature-based protection.

Mosyle said ModStealer is engineered to steal Secret keys, certificates, credential files, and browser wallet data. Pre-loaded code specifically targets 56 wallet extensions across Safari and Chromium browsers. On macOS, the malware persists by exploiting Apple’s launchctl tool, registering as a background LaunchAgent to quietly exfiltrate data to a remote server. The server infrastructure was traced to Finland but appeared routed through Germany to obscure its operators.

Investor Takeaway

How ModStealer Spreads

The malware is being distributed through fake job recruitment ads targeting developers, echoing a broader trend of social engineering campaigns against Web3 workers. Once installed, ModStealer embeds itself, captures clipboard data, takes screenshots, and executes remote commands—effectively granting attackers full control of compromised devices.

Stephen Ajayi of security firm Hacken told Cointelegraph that malicious “test tasks” are now a common delivery vector. He urged developers to validate recruiters, only accept assignments via public repositories, and open files exclusively in disposable virtual machines with no present.

“A clear separation between the development environment ‘dev box’ and wallet environment ‘wallet box’ is essential,” Ajayi said, stressing compartmentalization as a defensive layer.

Best Practices for Crypto Users

Ajayi emphasized hardware wallets as a primary secureguard, urging users to confirm transaction addresses directly on device displays before signing. He also recommended maintaining a dedicated browser profile or separate device for wallet activity, ensuring interaction only with trusted extensions.

Other protections include offline storage of viewd phrases, enabling multifactor authentication, and adopting FIDO2 passkeys where available. Endpoint hardening and continuous monitoring, Mosyle added, are crucial as malware-as-a-service models proliferate.

Investor Takeaway

Context: Rising Wave of Crypto Malware

ModStealer’s discovery follows a string of high-profile exploits. Just last week, Ledger CTO Charles Guillemet warned onchain transactions amid a Node Package Manager (NPM) supply chain attack. Although that incident was contained rapidly—with only about $1,000 stolen—the scale of risk was enormous, as spoofed packages had billions of downloads.

Security researchers also flagged a ReversingLabs report showing threat actors embedding malicious instructions in ETH smart contracts linked to NPM packages. Together, these incidents highlight how attackers are increasingly targeting the developer supply chain ecosystems.

With ModStealer now circulating undetected for weeks, experts warn that behavioral detection and zero-trust practices must replace reliance on outdated antivirus signatures. As malware evolves into a service-based industry, the race in security.