W3BStation
Markets
BTC $96,420 +2.34% ETH $3,280 +1.82% SOL $185.40 -0.92% BNB $642.50 +0.45% XRP $2.18 +3.12% DOGE $0.082 -1.50% ADA $1.05 +0.80% AVAX $42.10 +1.15%
BTC $96,420 +2.34% ETH $3,280 +1.82% SOL $185.40 -0.92% BNB $642.50 +0.45% XRP $2.18 +3.12% DOGE $0.082 -1.50% ADA $1.05 +0.80% AVAX $42.10 +1.15%
09/12/2025

New ModStealer Malware Targets Crypto Wallets Across Multiple Operating Systems

A new piece of malware called ModStealer has been discovered by cybersecurity experts, directly targeting crypto wallet users across macOS, Windows, and Linux — raising serious concerns in the Web3 community. Initial Discovery According to Apple security firm Mosyle, ModStealer appeared on the VirusTotal analysis platform but evaded detection by nearly all antivirus software for close to a month. The malware is programmed to harvest sensitive data including private keys, certificates,

New ModStealer Malware Targets Crypto Wallets Across Multiple Operating Systems

A new piece of malware called ModStealer has been discovered by cybersecurity experts, directly targeting crypto wallet users across macOS, Windows, and Linux — raising serious concerns in the Web3 community.

Initial Discovery

According to Apple security firm Mosyle, ModStealer appeared on the VirusTotal analysis platform but evaded detection by nearly all antivirus software for close to a month. The malware is programmed to harvest sensitive data including private keys, certificates, login credential files, and wallet browser extensions for both Safari and Chromium.

On macOS, ModStealer exploits a system mechanism to register itself as a background agent, allowing it to run silently on the victim's machine. The command-and-control server has been traced to Finland, though traffic was likely rerouted through Germany to conceal the attackers' identity.

A Sophisticated Infection Vector

What makes ModStealer particularly alarming is that it does not spread via links or typical file downloads, but instead through fake job postings — a tactic growing increasingly common among cybercriminals targeting Web3 developers.

When users download a "skills assessment" from a fraudulent recruiter, they are in fact installing a software package laced with malware. Once inside, ModStealer can:

  • Harvest clipboard data (including copied wallet addresses).
  • Take screenshots.
  • Execute remote commands.
  • Steal private keys and seed phrases.

Warning from Hacken Security Expert

Speaking with Cointelegraph, Stephen Ajayi, head of audit engineering at Hacken, warned that fake recruitment campaigns are becoming a persistent threat for blockchain developers.

He recommends that developers:

  • Thoroughly verify the legitimacy of any recruiting company and its domain.
  • Request that assessments be shared via a public repository.
  • Open suspicious files inside a disposable virtual machine with no wallets, SSH keys, or password managers present.

Ajayi emphasized the importance of completely separating development environments from asset storage:

"One dev box for code only, one wallet box for managing wallets. Never mix the two."

Protecting Your Crypto Wallet

Hacken's expert also outlined several basic but essential preventive measures:

  • Always use a hardware wallet and carefully verify transaction addresses (at least the first and last 6 characters).
  • Use a dedicated browser or device exclusively for wallet interactions.
  • Store seed phrases offline.
  • Enable multi-factor authentication (MFA) and FIDO2 passkeys wherever possible.

Closing Thoughts

The emergence of ModStealer underscores how cybercriminals are becoming increasingly creative and sophisticated in their attacks on digital assets. Web3 users and developers need to stay vigilant, adopt basic security hygiene, and never let their guard down when it comes to online job offers.