Crypto Malware Stealing ETH, XRP, and SOL from Wallets

By Vignesh Karunanidhi
April 13, 2025, at 4:00 PM UTC
Edited by Anthony Patrick

In a troubling development in the cryptocurrency sector, cybersecurity researchers have unveiled a sophisticated malware campaign that targets users’ cryptocurrency wallets, specifically aiming to siphon off Ethereum (ETH), XRP, and Solana (SOL). The malicious activity primarily impacts users of popular cryptocurrency wallets, such as Atomic and Exodus, and exploits compromised packages from the node package manager (NPM).

How the Attack Unfolds

Researchers have identified a particular NPM package named “pdf-to-office” as part of the malicious campaign. While it appears to be a legitimate utility, it conceals harmful code that activates once developers unknowingly include it in their projects. The threat begins to manifest when the package is installed, which triggers a series of actions designed to compromise systems and redirect transactions from the victim’s wallet to the attackers’ wallets without any visible alerts to the user.

Upon installation, the malware scans the system for known cryptocurrency wallets and injects malicious code that secretly intercepts transaction requests. This process involves sophisticated maneuvers that allow the malware to obfuscate its activities and evade detection by security systems.

Advanced Techniques in Cyber Theft

Researchers at ReversingLabs, who first flagged the attack, detailed the advanced techniques used in this malware operation. The malicious package employs a multi-stage attack strategy, utilizing obfuscation methods that hide its nature from oversight mechanisms.

The infection sequence begins as the malware executes its payload, focusing on the wallet software installed on the device. It specifically searches for application files in predefined paths. Once it locates the wallet software, it extracts and modifies the application files, incorporating the trojanized code before repackaging them to appear unchanged.

A critical component of this malware is its ability to alter transaction requests. Using base64 encoding, it replaces legitimate recipient wallet addresses with those controlled by the attackers. Therefore, when a user attempts to send funds, the address is seamlessly substituted with an attacker-controlled address without the user’s knowledge.

The Risks for Cryptocurrency Users

The implications of this malware are severe. While transactions may seem normal and users may perceive no issues in their wallet interfaces, funds are being illicitly transferred to the attackers. Victims only discover the compromise after reviewing their blockchain transaction history, finding funds directed to unknown or unexpected addresses.

The report from cybersecurity experts has emphasized that this malware campaign signifies a worrying escalation in attacks targeting cryptocurrency users through software supply chain vulnerabilities. As the cryptocurrency landscape continues to evolve, the need for heightened security measures becomes increasingly critical.

In conclusion, cryptocurrency users are urged to exercise caution, particularly when installing software or updates in their development environment. Regularly monitoring transaction histories for unauthorized activity and employing security measures against malware threats are essential steps in safeguarding digital assets. As crypto adoption grows, awareness of such cyber threats remains imperative for protecting one’s investments in the burgeoning digital finance sector.

Share this article: