Cybersecurity firm Kaspersky has identified a new malware framework designed specifically to drain cryptocurrency wallets. The attack vector relies on social engineering and trojanized applications hosted on GitHub.
The campaign, which Kaspersky detailed in a report published Friday, uses fake versions of legitimate crypto tools. Victims are tricked into downloading malicious code that masquerades as trading bots, portfolio trackers, or wallet management software.
Once installed, the framework can intercept clipboard data – replacing copied wallet addresses with attacker-controlled ones – and harvest private keys stored on the device. Kaspersky said the malware is modular, allowing its operators to swap out payloads without rebuilding the entire infection chain.
"This is not a simple script kiddie operation," Kaspersky's research team noted in the report. "The framework shows clear planning. Attackers are targeting a specific audience: people who actively manage crypto assets and are comfortable installing open-source tools."
The malware spreads primarily through GitHub repositories that appear legitimate. Some repos have accumulated stars and forks, making them look trustworthy. Others are promoted via Telegram groups and crypto-focused forums.
GitHub is a popular distribution channel for crypto trading software, from DEX aggregator integrations to MEV bots. The platform's trust-by-default dynamic works in the attackers' favor – a repo with recent commits and responsive-looking documentation can fool even experienced users.
Kaspersky did not name specific repos or estimate the total number of victims. The company advised traders to verify the identity of software authors, check digital signatures, and run wallet operations on air-gapped machines when possible.
For traders who rely on third-party tools, the implications are straightforward: a compromised app can empty a wallet in seconds. No phishing email required, no fake website to double-check – the attacker is already inside the user's workflow.
The framework's modular design suggests future variants could target hardware wallet communication or exploit browser extension permissions. Kaspersky said it is tracking the malware under an internal codename and expects the operators to continue refining the code.
Crypto investors should treat any GitHub download as a potential risk. The safest approach: open-source does not mean safe. Audit the code yourself, run it in a sandbox first, or stick with well-known, audited tools from established developers.
Kaspersky finds fake GitHub crypto apps that can drain users’ wallets
Cybersecurity firm Kaspersky identified malicious software spread through fake versions of crypto trading bots, portfolio trackers and wallet tools on GitHub. Once installed, it can replace copied wallet addresses with attackers’ addresses and steal private keys, putting people’s cryptocurrency at risk.