New Malware Targets Metamask And 40 Other Crypto Wallets

Last updated: Mar 30, 2023
3 Min Read
AI Generated Summary

A new type of malware is compromising Metamask and at least 40 other different software crypto wallets.

First analyzed by malware expert 3xp0rt, “Mars Stealer” appears to be an enhanced version of the Oski Stealer malware which surfaced in late 2019. Just 95kb in size, the malware is an information-stealing program that can steal data from any web browser, including popular crypto wallet extensions, before disappearing from the victim’s device.

It also has the ability to grab two-factor authentication (2fa) codes, which many crypto holders rely heavily on to protect their bags.

According to a report from BleepingComputer, Mars Stealer can “exfiltrate files from the infected system and relies on its own loader and wiper, which minimizes the infection footprint.”

So far, the malware is known to be a threat to Google Chrome, Brave Browser, Internet Explorer, Microsoft Edge, and at least 30 other internet browsers and applications. It is also known to circumvent Google Authenticator, Authy, Trezor Password Manager and multiple other 2FA apps.

TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, and many other crypto extensions are vulnerable to Mars Stealer and crypto wallets like Bitcoin Core, Exodus, Binance and Coinomi are all susceptible to hacks in addition.


Mars Stealer is currently available for $140 on Russian-speaking dark markets, making the barrier to entry relatively low.

According to 3xp0rt, the malware also allows attackers to retrieve the following information:

  • IP and country
  • Working path to EXE file
  • Local time and time zone
  • Language system
  • Language keyboard layout
  • Notebook or desktop
  • Processor model
  • Computer name
  • User name
  • Domain computer name
  • Machine ID
  • GUID
  • Installed software and their versions

3xp0rt said:

“Mars Stealer it’s an improved version of Oski Stealer. Have been added anti-debug check, crypto extensions stealing, but outlook stealing is missing. The code has been refactoring, but some algorithms remained stupid as in Oski Stealer. Here you can read detailed Oski Stealer analysis from CyberArk.”
Coin bureau logo circle.jpg

The Coin Bureau news team comprises a group of talented writers and analysts committed to delivering timely and accurate information about the world of cryptocurrency. Led by a seasoned editor-in-chief with extensive experience in financial journalism, the team boasts diverse backgrounds and skills, from technical analysis to industry insights.

Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.

Previous article
UK Tax Regulator Updates Guidance on Staking and DeFi Lending
next article
Arizona Senator Proposes Law to Make Bitcoin (BTC) Legal Tender