BTC
$106,059.68
-
0.96%
ETH
$2,656.78
+
1.30%
USDT
$1.0001
+
0.01%
XRP
$2.2795
+
2.03%
BNB
$677.33
-
0.92%
SOL
$168.32
-
0.84%
USDC
$0.9998
+
0.03%
DOGE
$0.2190
+
0.60%
ADA
$0.7307
-
0.34%
TRX
$0.2763
+
0.62%
SUI
$3.5495
+
0.70%
HYPE
$32.27
-
2.53%
LINK
$15.30
-
0.39%
AVAX
$22.68
-
0.83%
XLM
$0.2815
+
0.71%
TON
$3.4164
+
0.21%
LEO
$9.0673
-
0.39%
SHIB
$0.0₄1412
+
0.89%
BCH
$408.78
+
0.60%
HBAR
$0.1810
-
0.45%
Logo
  • News
  • Prices
  • Data
  • Indices
  • Research
  • Events
  • Sponsored
  • Sign In
  • Sign Up
Tech
Share this article
X iconX (Twitter)LinkedInFacebookEmail

This Elusive Malware Has Been Targeting Crypto Wallets for a Year

With custom domains and apps, advertising and a social media presence, the ElectroRAT malware operation targeting crypto wallets is extensive.

By Benjamin Powers
Updated Sep 14, 2021, 10:52 a.m. Published Jan 6, 2021, 6:33 p.m.
ElectroRAT

Operating for a year now, insidious malware ElectroRAT is bringing 2020 into 2021 and targeting crypto wallets.

Story continues
Don't miss another story.Subscribe to the The Protocol Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

A researcher at cybersecurity firm Intezer has identified and documented the inner workings of ElectroRAT, which has been targeting and draining victims’ funds.

According to the researcher, Avigayil Mechtinger, the malware operation includes a variety of detailed tools that dupes victims, including a “marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch.”

The malware is called ElectroRAT because it’s a remote access tool that was embedded in apps built on Electron, an app-building platform. Hence, ElectroRAT.

“It's unsurprising to see novel malware being published, especially during a bull market in which the value of cryptocurrency is shooting up and making such attacks more profitable,” said Jameson Lopp, chief technology officer (CTO) at crypto custody startup Casa.

Over the past few months, bitcoin and other cryptocurrencies have entered a bull market, seeing prices skyrocket across the industry.

See also: New to Bitcoin? Stay Safe and Avoid These Common Scams

What is ElectroRAT?

ElectroRat malware is written in the open-source programming language Golang, which is good for cross-platform functionality and is targeted at multiple operating systems, including macOS, Linux, and Windows.

As part of the malware operation, the attackers set up “domain registrations, websites, trojanized applications and fake social media accounts,” according to the report.

In the report, Mechtinger notes that while attackers commonly try to collect private keys used to access people’s wallets, seeing original tools like ElectroRAT and the various apps written “from scratch” and targeting multiple operating systems is quite rare.

A visual summary of the scope of ElectroRAT
A visual summary of the scope of ElectroRAT

“Writing the malware from scratch has also allowed the campaign to fly under the radar for almost a year by evading all antivirus detections,” wrote Mechtinger in the report.

Lopp echoed these comments, and said it’s particularly interesting the malware is being compiled for and targeting all three major operating systems.

“The value majority of malware tends to be Windows-only due to the wide install base and the weaker security of the operating system,” said Lopp. “In the case of bitcoin, malware authors may reason that a lot of early adopters are more technical people who run Linux.”

How it works

To lure in victims, the ElectroRat attackers created three different domains and apps operating on multiple operating systems.

The pages to download the apps were created specifically for this operation and designed to look like legitimate entities.

The associated apps specifically appeal to and target cryptocurrency users. “Jamm” and “eTrade” are trade management apps; “DaoPoker” is a poker app that uses cryptocurrency.

Using fake social media and user profiles, as well as paying a social media influencer for their advertising, the attacker pumped the apps, including promoting them in targeted cryptocurrency and blockchain forums like bitcointalk and SteemCoinPan. The posts encouraged readers to look at the professional-looking websites and download the apps when, in reality, they were also downloading the malware.

The front end of the eTrade app
The front end of the eTrade app

For example, the DaoPoker Twitter page had 417 followers while a social media advertiser with over 25,000 followers on Twitter promoted eTrade. As of writing, the DaoPoker twitter page is still live.

While the apps look legitimate at first glance on the front end, they are running nefarious background activities, targeting users' cryptocurrency wallets. They are also still active.

See also: ‘Convincing’ Phishing Attack Targets Ledger Hardware Wallet Users

“Hackers want to get your cryptocurrency, and they are willing to go far with it – spend months of work to create fake companies, fake reputation and innocent-looking applications that hide malware to steal your coins,” said Mechtinger.

What it does

“ElectroRAT has various capabilities,” said Mechtinger in an email. “It can take screenshots, key logs, upload folders/files from a victim's machine and more. Upon execution, it establishes commands with its command-and control-server and waits for commands.”

The report suggests the malware specifically targets cryptocurrency users for the purpose of attacking their crypto wallets, noting that victims were observed commenting on posts related to the popular Ethereum wallet app Metamask. Based on the researchers’ observations of the malware’s behaviors, it’s possible more than 6.5 thousand people had been compromised.

How to avoid it

The first step is the best step and that’s not to download any of these apps, full stop.

In general, when you’re looking into new apps, Lopp suggests avoiding shady websites and forums. Only install software that is well-known and properly reviewed; look for apps with lengthy reputation histories and sizable install bases.

“Don't use wallets that store the private keys on your laptop/desktop; private keys should be stored on dedicated hardware devices,” said Lopp.

See also: How to Store Your Bitcoin

This point reinforces the importance of storing your crypto in cold hardware wallets and writing down seed phrases rather than just storing them on your computer. Both of these techniques make them inaccessible to malware that trolls your online activity.

A victim commenting on the malicious activity of one of the ElectroRAT apps
A victim commenting on the malicious activity of one of the ElectroRAT apps

There are secondary steps that can be taken if you think your computer might have already been compromised.

“To make sure you are not infected we recommend [you] take proactive action and scan your devices for malicious activity,” said Mechtinger.

In the report, Mechtinger suggests that if you think you’re a victim of this scam, you need to kill the processes running and delete all files related to the malware. You also need to make sure your machine is clean and running non-malicious code. Intezer has created Endpoint Scanner for Windows environments and Intezer Protect, a free community tool for Linux users. More detailed information about detection can be found in the original report.

And, of course, you should move your funds to a new crypto wallet and change all your passwords.

A higher bitcoin price attracts more malware

With the price of bitcoin continuing to rise, Mechtinger doesn’t see attacks like this slowing down. In fact, they’re likely to increase.

“There are high capitals at stake, which is classic for financially motivated hackers,” she said.

Lopp said we will see attackers devote greater and greater resources to coming up with new ways to part people from their private keys.

“While a novel attack takes much greater effort to develop, the rewards are also potentially higher because it's more likely to fool people because the knowledge of that style of attack has not been disseminated through the user base,” he said. “That is, people are more likely to expose themselves to the attack unknowingly.”

MalwareHackCrypto Wallets
Benjamin Powers

Powers is a tech reporter at Grid. Previously, he was privacy reporter at CoinDesk where he focused on data and financial privacy, information security, and digital identity. His work has been featured in the Wall Street Journal, Daily Beast, Rolling Stone, and the New Republic, among others. He owns bitcoin.

CoinDesk News Image
Latest Crypto News
Article image

Bitcoin Whales Seem to Be Calling a Top as BTC Price Consolidates

4 hours ago

Bitcoin (BTC) price on May 19 (CoinDesk)

Bitcoin Climbs to $105K; Crypto ETF Issuer Sees 35% Upside

5 hours ago

Breaking News

Breaking New test

8 hours ago

FastNews (CoinDesk)

Fast News test

8 hours ago

Article image

Ethereum Surges 4% on Massive Volume as Institutional Interest Grows.

May 27, 2025

Article image

test research article

May 22, 2025

Top Stories
SHIB-USD 1-month chart shows 24.57% gain ending at $0.00004146 on May 15

Shiba Inu (SHIB) Price Drops 7% in 24 Hours but Remains Up 25% Over the Past Month

May 15, 2025

(CJ/Unsplash)

XRP Futures Start Trading on CME

May 19, 2025

Tax sign (The New York Public Library/Unsplash)

Crypto Capital Gains and Tax Rates 2022

Nov 14, 2022

Swap

Atomic Swaps: What Are They & How Do They Work?

Jan 11, 2024

Pancakes (Mae Mu/Unsplash)

What Is PancakeSwap? Here’s How to Start Using It

Apr 21, 2022

Futures Open Interest, CME (Glassnode)

Recent Inflows Into Spot Bitcoin ETFs Could Be Purely Directional Plays: Van Straten

Dec 4, 2024

Only 2 articles remaining this month.

Sign up for free

About

  • About Us
  • Masthead
  • Careers
  • CoinDesk News
  • Crypto API Documentation

Contact

  • Contact Us
  • Accessibility
  • Advertise
  • Sitemap
  • System Status
DISCLOSURE & POLICES
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.
EthicsPrivacyTerms of UseCookie SettingsDo Not Sell My Info

© 2025 CoinDesk, Inc.
X icon
Sign Up
  • News
    Back to menu
    News
    • Markets
    • Finance
    • Tech
    • Policy
    • Focus
  • Prices
    Back to menu
    Prices
    • Data
      Back to menu
      Data
      • Trade Data
      • Derivatives
      • Order Book Data
      • On-Chain Data
      • API
      • Research & Insights
      • Data Catalogue
      • AI & Machine Learning
    • Indices
      Back to menu
      Indices
      • Multi-Asset Indices
      • Reference Rates
      • Strategies and Services
      • API
      • Insights & Announcements
      • Documentation & Governance
    • Research
      Back to menu
      Research
      • Events
        Back to menu
        Events
        • Consensus Hong Kong
        • Consensus 2026
        • CoinDesk: Policy & Regulation
      • Sponsored
        Back to menu
        Sponsored
        • Thought Leadership
        • Press Releases
        • CoinW
        • MEXC
        • Phemex
        • Advertise
      • Videos
        Back to menu
        Videos
        • CoinDesk Daily
        • Shorts
        • Editor's Picks
      • Podcasts
        Back to menu
        Podcasts
        • CoinDesk Podcast Network
        • Markets Daily
        • Gen C
        • Unchained with Laura Shin
        • The Mining Pod
      • Newsletters
        Back to menu
        Newsletters
        • The Node
        • Crypto Daybook Americas
        • State of Crypto
        • Crypto Long & Short
        • Crypto for Advisors
      • Webinars & Events
        Back to menu
        Webinars & Events
        • Consensus 2025
        • Policy & Regulation Conference
      Select Language
      English enEspañol esFilipino filFrançais frItaliano itPortuguês pt-brРусский ruУкраїнська uk