Bitcoin is on a tear. For the first time in its history, the digital currency surpassed $100,000 in early December, having surged more than 30% since election night in the US. Whether or not the optimism about President-elect Donald Trump’s pro-crypto rhetoric on the campaign trail is be realized, the value of virtual coins continues to tick up. But so too do scams and malware designed to steal your crypto.

ESET’s latest Threat Report reveals that detections of cryptostealers rose by 56 percent from H1 to H2 2024 – across Windows, Android and macOS. It’s time to take a look at the latest threats to your digital currency, and how to keep it safe.

Why crypto is so attractive to cybercriminals

The FBI says it received over 69,000 public complaints about financial fraud relating to cryptocurrency such as bitcoin, ether or tether in 2023. And although these comprised just 10% of the total number of financial fraud complaints to the Bureau, they accounted for almost half of total losses, or $5.6 billion for the year.

That’s a 43% annual increase, with cryptocurrency stolen across all the major cybercrime types tracked by the FBI, from malware and identity theft, to ransomware, phishing and romance scams. However, the majority of cryptocurrency losses in 2023 came from investment fraud (71%) and call center fraud, including tech/customer support scams and government impersonation scams (10%).

The growth in such crime is a reflection of the growing role cryptocurrency plays in global finance. But it’s also favored for specific reasons, according to the FBI. The decentralized nature of virtual currency, the speed of irreversible transactions, and the ability to transfer it around the globe make it popular among cybercriminals, and difficult for victims to recover once stolen.

Crypto threats to beware of

So where was criminal activity in 2024 focused? The latest ESET Threat Report reveals some intriguing findings:

  • On the macOS platform, Password Stealing Ware (PSW), which often takes aim at credentials related to cryptocurrency wallets, shot up by 127%. This was partly driven by a malware as a service tool sold on Telegram called AMOS (also known as Atomic Stealer), along with its numerous versions and imitators. Attackers spread this malware via seemingly genuine but malicious ads on Google’s ad network, luring people to a site that prompts them to download malware posing as legitimate software.
  • PSW threats were also behind the growth of cryptostealers that target the Windows platform. A large section of this activity was fuelled by a variant of the infamous malware-as-a-service Lumma Stealer.
  • Many Android banking trojans now contain cryptostealer functionality alongside traditional features – so much so that we now incorporate both threat types in its “Android Financial threats” category. This class of threats rose by 20 percent overall in H2 2024.
cryptostealers detection trend
Figure 1. Cryptostealer detections from December 2023 to November 2024 (source: ESET Threat Report H2 2024)

ESET’s Threat Report for the first half of 2024  also has some interesting insights:

  • Novel GoldPickaxe malware targeting owners of cryptocurrency wallets and south-east Asian financial services customers. This sophisticated trojan has the ability to steal facial biometric data and use it to produce deepfake videos of victims, to help bypass authentication checks.
  • The evolution of a long-running botnet (Ebury) to steal cryptocurrency wallets hosted on targeted servers. It does this by conducting adversary-in-the-middle attacks, redirecting network traffic to a system under the threat actors’ control so they can capture SSH credentials and run scripts to exfiltrate the relevant crypto-wallet data.
  • An uptick in activity centered around the Vidar infostealer, which is designed to harvest credentials stored by browsers and data from crypto-wallets. It’s delivered by a malicious installer spread via Facebook ads, Telegram groups and dark web forums.
  • Targeting of gamers via crypto- and infostealing malware hidden inside cracked games and cheating tools offered on Discord servers and torrent sites. These include Red Line Stealer and Lumma Stealer. Detections of the cryptowallet-focused Lumma were declining in the period, but ESET discovered a new variant, Win/Spy.Agent.QLD, that’s on the rise.
  • The persistent threat of phishing as a means to access crypto-assets, by tricking users into handing over their logins. For example, cryptocurrency-related phishing sites accounted for 8% of all those observed in H1 2024 by ESET. That places it in the top five categories for the period.
trojanized-crypto-wallet-app
Figure 2. Fake crypto wallet app (source: ESET Threat Report H2 2024)

It’s not just phishing and malware that you need to be aware of when it comes to cryptocurrency theft. As is clear from the FBI’s figures, fraudsters have designed a range of scams intended to part you with your virtual currency. According to a Chainalysis report in August: “With several billion in inflows, scams with a crypto nexus are mounting in 2024 and are one of the largest areas of illicit activity YTD.”

It highlights pig butchering, which typically blends romance scams with investment fraud, as one of the most common means of crypto theft.

How to keep your crypto safe

All of which puts extra pressure on you to keep that cryptocurrency safe. There are various measures you can take to mitigate the threat from phishing, info-stealing/cryptostealing malware, scams and more. Consider the following:

  • Don’t put all of your funds in one crypto wallet. Spread the risk, and consider putting at least most of your funds in cold (hardware) wallets that aren’t connected to the internet, and are therefore better insulated from digital threats. Choose your wallet providers carefully based on reviews and be sure to keep internet-connected (aka hot) wallets MFA-protected as well as cold wallets under lock and key.
  • Turn on two-factor authentication (2FA) for any crypto app you own, mitigating the risk of phishers obtaining your passwords.
  • Don’t use public Wi-Fi when out and about, and certainly don’t access your crypto accounts while using, in case there are digital eavesdroppers about.
  • Always keep your devices and laptops/PCs up to date with patches and security software, to mitigate the impact of info/cryptostealers.
  • Use a VPN from a reputable provider for an extra layer of security to guard against phishing, malware and other threats.
  • Only download software from trusted sources and official websites, checking user reviews and developer ratings beforehand.
  • Minimize your risk exposure by limiting how much software you download. Periodically remove unused extensions/software with this in mind.
  • Check regularly for any potential unusual activity in your crypto accounts.
  • Be alert to scams. That means phishing messages, investment opportunities that seem too good to be true, and romantic encounters with individuals who refuse to meet or video call.

The fact that the FBI now has its own dedicated cryptocurrency crime report indicates the scale of the problem. Stay alert, and don’t let anyone get their hands on your digital assets.