New Stealka Malware Targets Crypto via Fake Game Mods

Cybersecurity firm Kaspersky has identified a dangerous new infostealer malware called Stealka that specifically targets cryptocurrency users. First detected in November 2025, the malware spreads through fake game modifications and pirated software on trusted platforms.

Kaspersky has identified a new infostealer malware called Stealka, spreading via fake game mods and pirated software on platforms like GitHub and Google Sites. First detected in November 2025, the malware targets over 100 browsers and more than 80 crypto wallets (including…

— Wu Blockchain (@WuBlockchain) December 22, 2025

The sophisticated threat disguises itself as cheats for popular games like Roblox and Grand Theft Auto V. It also poses as cracked versions of legitimate software, such as Microsoft Visio. Attackers have built professional-looking websites on GitHub, SourceForge, and Google Sites to distribute the malicious code.

Among the 80 cryptocurrency wallets targeted are major platforms including Binance, Coinbase, MetaMask, Crypto.com, SafePal, and Trust Wallet. Phantom, Ton, Nexus, and Exodus wallets are also at risk from this new threat.

Kaspersky reports that all detected Stealka instances were successfully blocked by their security solutions. No confirmed evidence of significant cryptocurrency theft has emerged from the campaign so far.

How Stealka Steals Your Crypto Keys

The malware primarily targets browsers built on Chromium and Gecko engines. More than 100 different browsers face exposure, including Chrome, Firefox, Opera, Edge, Brave, and Yandex Browser.

Stealka extracts autofill data containing sign-in credentials, addresses, and payment card details from compromised browsers. The approach mirrors techniques used by ModStealer malware discovered in September.

Beyond browser data, the malware targets settings and databases of browser extensions. It focuses on crypto wallets, password managers, and two-factor authentication services installed as extensions.

The infostealer searches for highly sensitive information, including encrypted private keys and seed phrase data. It also collects wallet file paths and encryption parameters that could enable unauthorized access to digital assets.

Standalone cryptocurrency wallet applications are not safe either. Stealka accesses configuration files containing critical security information from these programs.

Meanwhile, the malware compromises messaging applications like Discord and Telegram. Email clients, gaming platforms, password management applications, and VPN services also face targeting.

Global Reach and Protection Measures

Kaspersky researcher Artem Ushkov reported that most Stealka victims are located in Russia. However, attacks have also been detected in Turkey, Brazil, Germany, and India.

Attackers have been found using compromised accounts on legitimate gaming mod sites to spread the malware further. This creates a dangerous cycle where hijacked credentials become tools for additional infections.

The malware’s potential for causing financial damage remains considerable despite current containment. Users must take proactive steps to protect their digital assets from this evolving threat.

Kaspersky recommends avoiding downloads of pirated software, unofficial game modifications, and cheats from unverified sources. These remain primary distribution vectors for Stealka and similar malware.

Deploying reliable antivirus software with real-time scanning capabilities is essential for protection. Users should minimize storing sensitive information like passwords and payment details directly in browsers.

Following this, Kaspersky advises using dedicated password management applications instead of browser-based storage. Two-factor authentication should be enabled on all accounts with backup codes stored securely.

Users should exercise caution about which browser extensions they install. Downloading software only from official, verified sources significantly reduces infection risk.

In contrast to browser-stored credentials, hardware wallets and offline storage methods provide stronger protection for cryptocurrency holdings. Security experts continue to emphasize cold storage as the safest option for significant digital asset holdings.