Malware campaign detected stealing a wide range of sensitive data and emptying victims’ cryptocurrency wallets

A new campaign has compromised cryptocurrency enthusiasts through sophisticated malware distributed through multiple channels, including a malicious package in PyPI called “cryptoaitools” and repositories on GitHub. The malware, designed to steal sensitive data and empty cryptocurrency wallets, presented itself as a set of legitimate trading tools. Upon installation, it triggered a multi-stage infection process, targeting both Windows and macOS systems, and used a fake website pretending to be a trading bot service to download additional payloads and extend its functionality. The attack uses a deceptive graphical interface that distracts victims while stealing cryptocurrency information, browser data and sensitive files. The stolen data is temporarily stored and then sent via gofile.io, with links the attackers receive on Telegram, where they also promote these fraudulent bots in groups and offer fake support to attract more victims.