The advent of cryptocurrencies as a means of exchange and storing value has changed the way we perceive money and conduct transactions.
From laser-fast cross-border payments to full control over one’s assets, cryptocurrency has disrupted traditional finance in so many ways.
However, as the advantages of digital money increase by the day, so do its associated hazards and threats.
One key tenet of cryptocurrencies is the promise of self-custody. The idea of keeping all your funds to yourself without needing a bank or an intermediary.
Self-custody in the new financial technology, however, means that users are now fully responsible for the safety of their own assets.
This feature, celebrated as one of the key advantages of digital money, has turned out to be an Achilles’ heel in light of the sophisticated nature of cyberattacks and illicit crypto activity in recent times.
You could lose all your money in an instant, making one wrong turn, and the chances of recovery are very slim.
An example of these sophisticated cyber attacks is Modstealer. A new strain of malware that is turning out to be a nightmare for crypto users who keep their funds in browser-based wallets.
The malware is disguised as a job advertisement and has the capacity to run on various platforms, a true cross-platform malware.
“The emergence of ModStealer highlights how fast cybercriminals are evolving their tactics against crypto users.
“This malware doesn’t just target one platform; it’s capable of running on Windows, Linux, and macOS, and it’s designed to quietly drain sensitive data from crypto users, such as private keys, login credentials, and digital certificates from more than 50 browser-based wallets,” Chioma Onyekelu, Blockchain Forensics Specialist at A&D Forensics, tells Techpoint Africa.
The ModStealer malware combines sophisticated code with a little bit of social engineering.
Efficient anti-virus bypass
ModStealer has remained undetected by major antivirus engines since its birth a month ago.
Most antivirus systems in mainstream use cannot detect the malware, making it an effective tool in the hands of bad actors.
Speaking on its mode of operation, Onyekelu breaks down the sophisticated mechanism ModStealer employs and its capacity to do damage once inside a system.
“What makes ModStealer particularly concerning is its ability to slip past traditional antivirus tools. By using obfuscated NodeJS scripts, it hides its code patterns, meaning most signature-based security scans won’t catch it.
“Once inside, attackers can do more than steal keys. They can also hijack clipboards, capture screens, and even run commands remotely, effectively taking control of the infected device,” Onyekelu adds.
Besides bypassing antivirus systems, ModStealer also compromises traditional security structures on Windows, Linux, and macOS.
On macOS, the malware uses Apple’s launchctl tool to gain persistence by embedding itself as a LaunchAgent.
According to Cryptonews, it silently monitors activity and sends data to a remote server believed to be hosted in Finland but routed through German infrastructure.
Mostly disguised as a recruiter advert targeted at developers and job seekers. ModStealer quickly infiltrates a system, leveraging its features designed for stealth and scale.
Malware-as-a-service
ModStealer belongs to a new sector of the cybercrime industry known as malware-as-a-service.
“From a digital forensics and cybersecurity standpoint, ModStealer exemplifies the growing malware-as-a-service model, where ready-made attack kits are sold to affiliates with minimal technical skill. This has fueled a sharp rise in infostealers this year, underscoring how accessible crypto-targeted attacks have become,” Onyekelu says.
In summary, malware-as-a-service (MaaS) is a criminal business model where cybercriminals provide malware and related services on the dark web or underground forums, enabling others, even those with limited technical skills, to launch cyberattacks.
MaaS operates like legitimate software-as-a-service platforms, offering tools such as ransomware, spyware, or botnets for a fee. The malware tools often come with user-friendly interfaces, subscription plans, and customer support.
The MaaS sector is driving a surge in crypto breaches, hacks, and scams. In recent cybercrime activities, wallet breaches driven by infostealers like ModStealer have become a dominant trend
According to reports, crypto investors lost over $2.2 billion to hacks, scams, and breaches in the first half of 2025, primarily due to wallet compromises and phishing attacks.
Wallet breaches alone caused $1.7 billion in losses across just 34 incidents, while phishing scams accounted for over $410 million across 132 attacks.
How crypto users can optimise against ModStealer
ModStealer is a hard nut to crack, but it can still be prevented through effective measures and practices.
The infostealer malware is capable of infiltrating macOS, Linux, and Windows, and it is best prevented rather than salvaged.
Despite the advancement of blockchain recovery services, prevention remains a better alternative as far as cybersecurity goes.
Access to sensitive information like private keys, credentials, configuration files, and certificates could mean instant loss of funds and a complete takeover of one’s device.
According to Onyekelu, protection boils down to strong security habits driven by the checklist below:
- Rely on hardware wallets for safeguarding your large holdings.
- Install your crypto wallets and updates only from official sources.
- Be cautious with recruiter ads or free software downloads, which are often used to spread malware.
- Enable Multi Factor Authentication (MFA) wherever possible.
- Maintaining good wallet hygiene by running continuous monitoring and regular checks on accounts.
Despite advanced security features by browser-based wallets like Phantom, Brave Browser, and Coinbase wallets, sophisticated malware like Modstealer endangers funds stored in them and discourages crypto adoption by fuelling wallet breaches and other disturbing cybercrime activities.
