Cybersecurity company Kaspersky has detected a new and sophisticated infostealer malware that directly targets cryptocurrency users. Dubbed “Stealka,” this malware reportedly first appeared in November 2025 and spreads through fake game mods and pirated software.
Stealka’s distribution through seemingly trustworthy platforms like GitHub, SourceForge, and Google Sites makes the threat difficult to detect.
According to Kaspersky’s analysis, Stealka infiltrates users’ systems disguised as cheats and mods for popular games (such as Roblox and Grand Theft Auto V) or pirated versions of software like Microsoft Visio. Attackers create professional-looking fake websites to present the malware as legitimate content, thereby persuading users to download it.
Stealka’s primary target is Chromium and Gecko-based browsers. This includes over 100 browsers at risk, including Chrome, Firefox, Opera, Edge, Brave, and Yandex Browser. The malware can steal autofill data such as saved login credentials, addresses, and payment card information. It also attempts to gain access to cryptocurrency wallets, password managers, and two-factor authentication services by targeting the settings and databases of browser extensions.
According to the report, Stealka directly targets over 80 cryptocurrency wallets, including MetaMask, Binance, Coinbase, Trust Wallet, Phantom, Crypto.com, SafePal, Exodus, and others. The malware seeks highly sensitive information such as encrypted private keys, seed phrase wallet file paths, and encryption parameters. Obtaining this data poses a potential risk, allowing attackers to gain unauthorized access to crypto assets and empty wallets. Stealka also targets the configuration files of independent cryptocurrency wallet applications.
Not limited to the crypto ecosystem, Stealka also targets messaging apps like Discord and Telegram, email clients, gaming platforms, password managers, and VPN services. This broad attack surface enhances cybercriminals’ ability to compromise accounts and gather intelligence for further attacks.
Kaspersky researcher Artem Ushkov stated that the majority of users affected by Stealka are located in Russia, but cases have also been detected in Turkey, Brazil, Germany, and India. He also noted that the attackers continue to spread the malware using compromised accounts on legitimate game modding sites, thus creating a chain reaction of infection.
Kaspersky stated that while Stealka has the potential to cause significant financial losses, so far, none of the detected instances have been confirmed as large-scale cryptocurrency theft cases.
Experts recommend that users avoid pirated software and unverified game mods, and only download from official and trusted sources.
*This is not investment advice.
