SpyAgent Malware Steals Crypto Private Keys

SpyAgent uses Optical Character Recognition (OCR) technology to scan all images stored on an infected device, extracting sensitive codes. This means any images containing passwords (such as a mnemonic key) or other critical information can become a target for hackers.

To spread the malware among Android users, attackers rely on social engineering techniques. They send phishing SMS messages and social media posts, posing as trusted individuals or organizations. 

These messages often contain enticing offers, such as notifications of winnings, updates to banking apps, or important information from online stores. Once a user clicks on the link, they are redirected to fake websites that closely mimic legitimate platforms (such as banks or social media). These sites prompt users to download an application, which is actually malware. After installation, the virus begins scanning all files in photo galleries, SMS, and email in the background.

Many crypto users of hardware wallets photograph their seed phrases, believing it's safer than storing them on paper. However, storing images of recovery phrases is a common but very dangerous practice. Modern malware can easily detect and steal these keys, putting your crypto assets at serious risk.

Stolen passwords can also be used to access your bank accounts, email, and other critical online services.

While incidents involving SpyAgent have so far been reported only in Asian countries, the virus could quickly spread globally.

You’ve probably heard these guidelines many times before, and it may seem like they don’t apply to you. However, the threat of cyberattacks grows every day, as numerous reports confirm. Here’s a reminder of the key cybersecurity rules:

1. Don’t open messages from unknown or suspicious senders.
2. Only install apps from official sources and double-check the web addresses.
3. Regularly update your operating system and all installed apps.
4. Enable two-factor authentication for critical accounts.

Your cybersecurity depends on you! Stay cautious and don’t give cybercriminals a chance.

In mid-August, Microsoft identified a vulnerability in the Chromium browser, exploited by the North Korean hacker group Citrine Sleet. The virus, CVE-2024-7971, was used to gain remote code execution. Hackers created fake websites resembling official cryptocurrency exchanges and used them to send fraudulent job offers. While no jobs were actually offered, the victims’ systems were infected with remotely controlled malware designed to steal private keys.

At the same time, another malware called Cthulhu Stealer was found targeting MacOS users. It disguised itself as legitimate software (such as CleanMyMac, Grand Theft Auto IV, and Adobe GenP) and stole personal data like Telegram account credentials, MetaMask passwords, and private wallet keys connected to the device.

On August 12th, Scam Sniffer issued a scam alert about another dangerous piece of malware targeting cryptocurrency users. The virus, called Fato Reader, is still being studied, and cybersecurity experts will soon release more details on its malicious capabilities.