Gamers at Risk as Fake Roblox Mods Spread Crypto-Stealing Malware

Kaspersky researchers have uncovered Stealka, a classy infostealer masquerading as recreation mods and pirated software program that targets crypto wallets and browser credentials throughout over 115 extensions.

The malware spreads by way of trusted platforms, together with GitHub, SourceForge, and Softpedia, the place attackers create professional-looking pretend web sites and repositories to distribute the menace below the guise of common recreation cheats for titles like Roblox and GTA V.

The discovery marks the newest escalation in a broader sample of gaming-focused malware campaigns, as cybercriminals more and more exploit the belief players place in modding communities.

Attackers leverage common search phrases and authentic-looking obtain pages to lure victims, with some websites falsely claiming that virus scans are performed earlier than downloads, though no such verification happens.

The malicious recordsdata seem intentionally misleading; one pretend web site marketed Half-Life 3 whereas describing it as “skilled software program resolution designed for Windows,” utilizing common gaming titles merely as bait to maximise search engine visibility.

Extensive Arsenal Targets Crypto Wallets

According to the safety agency, Stealka’s capabilities lengthen far past primary credential theft, concentrating on knowledge from browsers constructed on Chromium and Gecko engines, placing over 100 purposes, together with Chrome, Firefox, Opera, and Edge, at rapid threat.

The malware extracts autofill knowledge, session tokens, and cookies that permit attackers to bypass two-factor authentication and hijack accounts with out passwords, whereas concurrently concentrating on 115 browser extensions for crypto wallets, password managers, and authentication providers.

High-value targets embody crypto wallets such as Binance, Coinbase, MetaMask, Trust Wallet, and Phantom, as properly as password managers such as 1Password, Bitwarden, LastPass, and NordPass.

The stealer downloads native configurations from 80 pockets purposes, encompassing Bitcoin, Ethereum, Exodus, Monero, and Dogecoin, that will comprise encrypted personal keys and seed phrase knowledge adequate to compromise holdings.

Beyond crypto property, Stealka infiltrates messaging apps like Discord and Telegram, electronic mail shoppers together with Outlook and Thunderbird, gaming platforms such as Steam and Roblox launchers, VPN shoppers like ProtonVPN and Surfshark, and note-taking apps the place customers usually improperly retailer delicate data.

The malware moreover harvests system knowledge, put in program lists, {hardware} specs, and captures screenshots to maximise intelligence gathering.

Attackers have used compromised accounts to unfold the malware additional, with Kaspersky discovering the stealer in a GTA V mod posted by a beforehand hijacked account on a devoted modding web site.

Industry Faces Mounting Security Crisis

The Stealka marketing campaign emerges amid catastrophic industry-wide safety failures, as crypto platforms have misplaced $9.1 billion in 2025 alone, which is 10% of the $90 billion stolen over the previous 15 years.

In November, losses exceeded $276 million, pushing the annual whole previous historic information.

“Crypto is dealing with a safety reckoning,” stated Mitchell Amador, CEO of Immunefi, a crowdsourced safety platform defending $180 billion in property.

“Most hacks this 12 months haven’t occurred because of poor audits—they’ve occurred after launch, throughout protocol upgrades, or by way of integration vulnerabilities.“

Amador emphasised that 99% of Web3 tasks function with out primary firewalls whereas fewer than 10% deploy trendy AI safety instruments, calling the sector’s method “willful negligence.“

The human component has develop into the first assault floor, with menace actors shifting from code vulnerabilities to operational safety breaches as sensible contracts develop into more durable to take advantage of.

“The menace panorama is shifting from on-chain code vulnerabilities to operational safety and treasury-level assaults,” Amador defined. “As code hardens, attackers goal the human component.”

North Korea’s Famous Chollima hides malware in sensible contracts by way of EtherHiding, posing as job recruiters after stealing $1.3B in 2024 and $2.2B in H1 2025.#NorthKorea #Blockchainhttps://t.co/8W6Pfj41u8

— Cryptonews.com (@cryptonews) October 17, 2025

Kaspersky’s broader analysis reveals a sustained malware ecosystem, having beforehand documented the GitVenom campaign involving lots of of pretend GitHub repositories, SparkKitty mobile malware that infiltrated Apple’s App Store and Google Play to steal seed phrase screenshots by way of OCR, and ClipBanker trojans hidden in pretend Microsoft Office downloads.

North Korean threat groups have also escalated tactics by weaponizing blockchain expertise itself, embedding malware payloads in sensible contracts on the BNB Smart Chain and Ethereum, making a decentralized command-and-control infrastructure that regulation enforcement can not shut down.

For now, Kaspersky recommends customers to do the next:

• Deploy dependable antivirus software program.
• Avoid storing delicate credentials in browsers.
• Exercise excessive warning with recreation cheats and pirated software program.
• Enable two-factor authentication with backup codes saved in encrypted password managers quite than textual content recordsdata.
• Refrain from downloading software program from untrusted sources regardless of the comfort they might provide.

The put up Gamers at Risk as Fake Roblox Mods Spread Crypto-Stealing Malware appeared first on Cryptonews.