New ModStealer Malware Targets Crypto Wallets on Mac, Windows, and Linux
ModStealer spreads through fake job ads, targeting developers and investors
A dangerous new malware known as ModStealer is putting crypto wallets at risk across macOS, Windows, and Linux systems. Security experts warn that this advanced threat can steal private keys, certificates, browser-based wallet extensions, and login credentials without being detected.
Apple-focused cybersecurity firm Mosyle discovered the malware, noting that it went unnoticed by major antivirus engines for nearly a month after being uploaded to VirusTotal. Researchers confirmed that ModStealer is built to extract sensitive data, with specific targeting for popular crypto wallets and browser extensions, including Safari and Chromium-based platforms.
On macOS, the malware gains persistence by registering as a background agent, silently operating in the system. Investigators believe its servers are hosted in Finland but routed through Germany to obscure its origin.
The biggest red flag for users is how ModStealer spreads: through fake job recruitment ads. Victims are tricked into downloading malicious “test tasks” disguised as work assignments. Once installed, ModStealer runs quietly in the background, capturing clipboard data, taking screenshots, and even executing remote commands.
Stephen Ajayi, technical lead at blockchain security firm Hacken, told Cointelegraph that fraudulent job campaigns targeting Web3 developers are becoming alarmingly common. He urged developers to verify recruiter legitimacy, request assignments through public repositories, and only open test files inside disposable virtual machines with no wallet access.
To protect assets, Ajayi emphasized strict separation of development and wallet environments, hardware wallet use, and basic wallet hygiene. He recommended confirming addresses on hardware devices, keeping seed phrases offline, using multifactor authentication, and enabling FIDO2 passkeys when possible.
As the rise of Web3 continues, threats like ModStealer highlight the urgent need for heightened caution. For both developers and investors, security vigilance is no longer optional—it is essential.
