{"id":114192,"date":"2022-05-17T09:00:00","date_gmt":"2022-05-17T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=114192"},"modified":"2023-10-13T08:28:37","modified_gmt":"2023-10-13T15:28:37","slug":"in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/","title":{"rendered":"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks"},"content":{"rendered":"\n<p>The steep rise in <a href=\"https:\/\/coinmarketcap.com\/charts\/\">cryptocurrency market capitalization<\/a>, not surprisingly, mirrors a marked increase in threats and attacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting trend: the evolution of related malware and their techniques, and the emergence of a threat type we\u2019re referring to as <em>cryware<\/em>.<\/p>\n\n\n\n<p>Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as <a href=\"https:\/\/www.investopedia.com\/terms\/h\/hot-wallet.asp\">hot wallets<\/a>. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.<\/p>\n\n\n\n<p>Cryware signifies a shift in the use of cryptocurrencies in attacks: no longer as a means to an end but the end itself. Before cryware, the role of cryptocurrencies in an attack or the attack stage where they figured varied depending on the attacker\u2019s overall intent. For example, some ransomware campaigns prefer cryptocurrency as a ransom payment. However, that requires the target user to manually do the transfer. Meanwhile, cryptojackers\u2014one of the prevalent cryptocurrency-related malware\u2014do try to mine cryptocurrencies on their own, but such a technique is heavily dependent on the target device\u2019s resources and capabilities.<\/p>\n\n\n\n<p>With cryware, attackers who gain access to hot wallet data can use it to quickly transfer the target\u2019s cryptocurrencies to their own wallets. Unfortunately for the users, such theft is irreversible: blockchain transactions are final even if they were made without a user\u2019s consent or knowledge. In addition, unlike credit cards and other financial transactions, there are currently no available mechanisms that could help reverse fraudulent cryptocurrency transactions or protect users from such.<\/p>\n\n\n\n<p>To find hot wallet data such as private keys, seed phrases, and wallet addresses, attackers could use regular expressions (regexes), given how these typically follow a pattern of words or characters. These patterns are then implemented in cryware, thus automating the process. The attack types and techniques that attempt to steal these wallet data include <a href=\"#clipping-and-switching\">clipping and switching<\/a>, <a href=\"#memory-dumping\">memory dumping<\/a>, <a href=\"#phishing\">phishing<\/a>, and <a href=\"#scams\">scams<\/a>.<\/p>\n\n\n\n<p>As cryptocurrency investing continues to trickle to wider audiences, users should be aware of the different ways attackers attempt to compromise hot wallets. They also need to protect these wallets and their devices using security solutions like <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/microsoft-defender-antivirus-windows?view=o365-worldwide\">Microsoft Defender Antivirus<\/a>, which detects and blocks cryware and other malicious files, and <a href=\"https:\/\/docs.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen\">Microsoft Defender SmartScreen<\/a>, which blocks access to cryware-related websites. For organizations, data and signals from these solutions also feed into <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/microsoft-365-defender\">Microsoft 365 Defender<\/a>, which provides comprehensive and coordinated defense against threats\u2014including those that could be introduced into their networks through user-owned devices or non-work-related applications.<\/p>\n\n\n\n<p>In this blog, we provide details of the different attack surfaces targeting hot wallets. We also offer best practice recommendations that help secure cryptocurrency transactions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">From cryptojackers to cryware: The growth and evolution of cryptocurrency-related malware<\/h2>\n\n\n\n<p>The emergence and boom of cryptocurrency allowed existing threats to evolve their techniques to target or abuse cryptocurrency tokens. The threats that currently leverage cryptocurrency include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Cryptojackers.<\/strong> One of the threat types that surfaced and thrived since the introduction of cryptocurrency, cryptojackers are <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/intelligence\/coinminer-malware?view=o365-worldwide\">mining malware<\/a> that hijacks and consumes a target\u2019s device resources for the former\u2019s gain and without the latter\u2019s knowledge or consent. Based on our threat data, we saw millions of cryptojacker encounters in the last year.<\/li><li><strong>Ransomware. <\/strong>Some threat actors prefer cryptocurrency for ransom payments because it provides transaction anonymity, thus reducing the chances of being discovered.<\/li><li><strong>Password and info stealers.<\/strong> Apart from sign-in credentials, system information, and keystrokes, many info stealers are now adding hot wallet data to the list of information they search for and exfiltrate.<\/li><li><strong>ClipBanker trojans. <\/strong>Another type of info stealer, this malware checks the user\u2019s clipboard and steals banking information or other sensitive data a user copies. ClipBanker trojans are also now expanding their monitoring to include cryptocurrency addresses.<\/li><\/ul>\n\n\n\n<p>The increasing popularity of cryptocurrency has also led to the emergence of cryware like Mars Stealer and RedLine Stealer. These threats aim to steal cryptocurrencies through wallet data theft, clipboard manipulation, phishing and scams, or even misleading smart contracts. For example, RedLine has even been used as a component in larger threat campaigns. The graph below illustrates the increasing trend in unique cryware file encounters <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> has detected in the last year alone.<em><\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"502\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig1-2021-cryware-encounters.png\" alt=\"Bar chart illustrating the distribution of cryware family detections from January to December 2021.\" class=\"wp-image-114198\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig1-2021-cryware-encounters.png 799w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig1-2021-cryware-encounters-300x188.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig1-2021-cryware-encounters-768x483.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><figcaption>Figure 1. Microsoft Defender for Endpoint cryware encounters for 2021<\/figcaption><\/figure>\n\n\n\n<p>Cryware could cause severe financial impact because transactions can\u2019t be changed once they\u2019re added to the blockchain. As mentioned earlier, there also are currently no support systems that could help recover stolen cryptocurrency funds.<\/p>\n\n\n\n<p>For example, in 2021, a user <a href=\"https:\/\/www.reddit.com\/r\/EtherMining\/comments\/n243fd\/my_eth_was_stolen_out_of_my_metamask_and\/\">posted<\/a> about how they lost USD78,000 worth of Ethereum because they stored their wallet seed phrase in an insecure location. An attacker likely gained access to the target\u2019s device and installed cryware that discovered the sensitive data. Once this data was compromised, the attacker would\u2019ve been able to empty the targeted wallet.<\/p>\n\n\n\n<p>With the growing popularity of cryptocurrency, the impact of cryware threats have become more significant. We\u2019ve already observed campaigns that previously deployed ransomware now using cryware to steal cryptocurrency funds directly from a targeted device. While not all devices have hot wallets installed on them\u2014especially in enterprise networks\u2014we expect this to change as more companies transition or move part of their assets to the cryptocurrency space. Users and organizations must therefore learn how to protect their hot wallets to ensure their cryptocurrencies don\u2019t end up in someone else\u2019s pockets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hot wallet attack surfaces<\/h2>\n\n\n\n<p>To better protect their hot wallets, users must first understand the different attack surfaces that cryware and related threats commonly take advantage of.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Hot wallet data<\/h3>\n\n\n\n<p>During the creation of a new hot wallet, the user is given the following wallet data:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Private key.<\/strong> The key that\u2019s required to access the hot wallet, sign or authorize transactions, and send cryptocurrencies to other wallet addresses.<\/li><li><strong>Seed phrase.<\/strong> A mnemonic phrase is a human-readable representation of the private key. It\u2019s another form of a private key that\u2019s easier to remember. Bitcoin Improvement Proposal: 39 (BIP39) is currently the most common standard used to generate seed phrases consisting of 12-14 words (from a predefined list of 2,048).<\/li><li><strong>Public key.<\/strong> The public address of the wallet that users must enter as the destination address when sending funds to other wallets.<\/li><li><strong>Wallet password<\/strong> <strong>(optional)<\/strong>. A standard user account password that some wallet applications offer as an additional protection layer.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"512\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig2-sample-wallet-creation-6281b08dbd65f.png\" alt=\"Screenshots of a wallet app's UI screens where users can create a password and a secret recovery phrase.\" class=\"wp-image-114261\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig2-sample-wallet-creation-6281b08dbd65f.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig2-sample-wallet-creation-6281b08dbd65f-300x192.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig2-sample-wallet-creation-6281b08dbd65f-768x492.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 2. Sample wallet creation in a popular wallet app<\/figcaption><\/figure>\n\n\n\n<p>Attackers try to identify and exfiltrate sensitive wallet data from a target device because once they have located the private key or seed phrase, they could create a new transaction and send the funds from inside the target\u2019s wallet to an address they own. This transaction is then published to the blockchain of the cryptocurrency of the funds contained in the wallet. Once this action is completed, the target won\u2019t be able to retrieve their funds as blockchains are immutable (unchangeable) by definition.<\/p>\n\n\n\n<p>To locate and identify sensitive wallet data, attackers could use regexes, which are strings of characters and symbols that can be written to match certain text patterns. The following table demonstrates how regexes can be used to match wallet string patterns:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Wallet target<\/strong><\/td><td><strong>String description<\/strong><\/td><td><strong>String example<\/strong><\/td><td><strong>Regular expression<\/strong><\/td><\/tr><tr><td>Private key<\/td><td>Identify a string of characters that comprise an example private key. This key would consist of exactly 256 bits (32 characters) in an unspaced, capitalized, hexadecimal string located on one line.<\/td><td>A6FDF18E86000542388064492B58CBF<\/td><td>&nbsp;^[A-F0-9]{32}$<\/td><\/tr><tr><td>Seed phrase<\/td><td>Identify a string of characters that comprise a seed phrase consisting of 12 words separated by a single space located on one line.<\/td><td>this is a long string of text consisting of twelve random words<\/td><td>&nbsp;^(\\w+\\s){11}\\w+$<\/td><\/tr><tr><td>Wallet address<\/td><td>Identify a string of characters that comprise an example public wallet address. This address would consist of exactly 24 characters in an unspaced, hexadecimal string preceded by the literal letters \u201cLB\u201d.<\/td><td>LB32b787573F5186C696b8ed61<\/td><td>^LB[a-fA-F0-9]{24}$<\/td><\/tr><\/tbody><\/table><figcaption>Table 1. Regular expressions to detect example wallet data<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Cryware attack scenarios and examples<\/h3>\n\n\n\n<p>Once sensitive wallet data has been identified, attackers could use various techniques to obtain them or use them to their advantage. Below are some examples of the different cryware attack scenarios we\u2019ve observed.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"clipping-and-switching\">Clipping and switching<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"441\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig3-clipping-and-switching-overview.png\" alt=\"Diagram with icons and arrows illustrating how clipping and switching works.\" class=\"wp-image-114204\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig3-clipping-and-switching-overview.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig3-clipping-and-switching-overview-300x165.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig3-clipping-and-switching-overview-768x423.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 3. Clipping and switching overview<\/figcaption><\/figure>\n\n\n\n<p>In clipping and switching, a cryware monitors the contents of a user\u2019s clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address. If the target user pastes or uses <em>CTRL + V<\/em> into an application window, the cryware replaces the object in the clipboard with the attacker\u2019s address.<\/p>\n\n\n\n<p>Figure 4, which is a code based on an actual clipper malware we\u2019ve seen in the wild, demonstrates the simplest form of this attack. This code uses regexes to monitor for copied wallet addresses and then swaps the value to be pasted.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"480\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig4-sample-clipping-and-switching-code.png\" alt=\"Code snippet that allows a malware to replace copied data with a different value.\" class=\"wp-image-114207\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig4-sample-clipping-and-switching-code.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig4-sample-clipping-and-switching-code-300x180.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig4-sample-clipping-and-switching-code-768x461.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 4. Example code to replace the clipboard using regular expressions to identify wallet\u2019s address pattern<\/figcaption><\/figure>\n\n\n\n<p>While this technique is not new and has been used in the past by info stealers, we\u2019ve observed its increasing prevalence. The technique\u2019s stealthy nature, combined with the length and complexity of wallet addresses, makes it highly possible for users to overlook that the address they pasted does not match the one they originally copied.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"memory-dumping\">Memory dumping<\/h4>\n\n\n\n<p>Another technique is memory dumping, which takes advantage of the fact that some user interactions with their hot wallet could display the private keys in plaintext. This critical information might remain in the memory of a browser process performing these actions, thus compromising the wallet\u2019s integrity. Such a scenario also allows an attacker to dump the browser process and obtain the private key.<\/p>\n\n\n\n<p>The screenshot below illustrates such an example. When a private key was exported through a web wallet application, the private key remained available in plaintext inside the process memory while the browser remained running.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"372\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig5-hot-wallet-key-inside-browser-process-memory.png\" alt=\"Screenshot of a browser process memory dump with a redacted hot wallet private key displayed in plaintext.\" class=\"wp-image-114210\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig5-hot-wallet-key-inside-browser-process-memory.png 799w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig5-hot-wallet-key-inside-browser-process-memory-300x140.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig5-hot-wallet-key-inside-browser-process-memory-768x358.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig5-hot-wallet-key-inside-browser-process-memory-465x215.png 465w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><figcaption>Figure 5. A hot wallet private key visible inside the browser process memory<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Wallet file theft<\/h4>\n\n\n\n<p>While more sophisticated cryware threats use regular expressions, clipboard tampering, and process dumping, a simple but effective way to steal hot wallet data is to target the wallet application\u2019s storage files. In this scenario, an attacker traverses the target user\u2019s filesystem, determines which wallet apps are installed, and then exfiltrates a predefined list of wallet files.<\/p>\n\n\n\n<p>Target files and information include the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Web wallet files. <\/strong>Some hot wallets are installed as browser extensions with a unique namespace identifier to name the extension storage folder. A web wallet\u2019s local vault contains the encrypted private key of a user\u2019s wallet and can be found inside this browser app storage folder. Attackers target this vault as it can be <a href=\"https:\/\/en.wikipedia.org\/wiki\/Brute-force_attack\">brute-forced<\/a> by many popular tools, such as Hashcat.<ul><li>Example targeted MetaMask vault folder in some web browsers: \u201cLocal Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn\u201d<\/li><\/ul><\/li><li><strong>Desktop wallet files. <\/strong>Other hot wallets are installed on a user\u2019s desktop device. The private keys are encrypted and stored locally in application storage files specific to each wallet. Attackers could determine which desktop wallet is installed on a target device when stealing information from it. As with the web wallet vaults, wallet storage files containing encrypted private keys provide an excellent opportunity for brute-force attacks.<ul><li>Example targeted Exodus storage files: \u201cExodus\\passphrase.json\u201d, \u201cExodus\\seed.seco\u201d<\/li><\/ul><\/li><li><strong>Wallet passwords.<\/strong> Some wallet applications require passwords as an additional authentication factor when signing into a wallet. Some users store these passwords and seed phrases or private keys inside password manager applications or even as autofill data in browsers. Attackers could traverse an affected device to discover any password managers installed locally or exfiltrate any browser data that could potentially contain stored passwords.<ul><li>Example targeted browser data: \u201c\\Cookies\\\u201d, \u201c\\Autofill\\\u201d<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>Mars Stealer is a notable cryware that steals data from web wallets, desktop wallets, password managers, and browser files. The snippet below was taken from a section of Mars Stealer code aimed to locate wallets installed on a system and steal their sensitive files:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"803\" height=\"97\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig6-mars-stealer-code-snippet.png\" alt=\"Screenshot of a code snippet of Mars Stealer.\" class=\"wp-image-114213\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig6-mars-stealer-code-snippet.png 803w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig6-mars-stealer-code-snippet-300x36.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig6-mars-stealer-code-snippet-768x93.png 768w\" sizes=\"auto, (max-width: 803px) 100vw, 803px\" \/><figcaption>Figure 6. Mars Stealer code snippet that locates sensitive hot wallet data<\/figcaption><\/figure>\n\n\n\n<p>Mars Stealer is available for sale on hacking forums, as seen in an example post below. The post describes the cryware\u2019s capabilities of stealing sensitive data from multiple wallets and app storage files from an affected device. Mars Stealer then bundles the stolen data and exfiltrates it to an attacker-controlled command-and-control (C2) server via HTTP POST.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"419\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig7-mars-stealer-ad.png\" alt=\"Screenshot of a forum post titled &quot;Mars Stealer is a native, non-resident stiller (sic) with the functionality of a loader and a graber (sic)&quot;\" class=\"wp-image-114216\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig7-mars-stealer-ad.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig7-mars-stealer-ad-300x157.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig7-mars-stealer-ad-768x402.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 7. An ad for Mars Stealer for sale in an underground forum<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Keylogging<\/h4>\n\n\n\n<p>Keylogging is another popular technique used by cryware. Like other information-stealing malware that use this technique, keylogging cryware typically runs in the background of an affected device and logs keystrokes entered by the user. It then sends the data it collects to an attacker controlled C2 server.<\/p>\n\n\n\n<p>For attackers, keyloggers have the following advantages:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>No need for brute forcing.<\/strong> Private keys, seed phrases, and other sensitive typed data can be stolen in plaintext.<\/li><li><strong>Difficult to detect.<\/strong> Keyloggers can run undetected in the background of an affected device, as they generally leave few indicators apart from their processes.<\/li><li><strong>Stolen data can live in memory.<\/strong> Attackers don\u2019t have to write stolen user data to disk. Instead, they can store the data in process memory before uploading it to the server.<\/li><\/ul>\n\n\n\n<p>Even users who store their private keys on pieces of paper are vulnerable to keyloggers. Copying and pasting sensitive data also don\u2019t solve this problem, as some keyloggers also include screen capturing capabilities.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"phishing\">Phishing sites and fake applications<\/h4>\n\n\n\n<p>To fool users into entering their private keys, attackers create malicious applications that spoof legitimate hot wallets. Unfortunately, determining which app is malicious or legitimate can be challenging because importing an existing wallet does require the input of a private key.<\/p>\n\n\n\n<p>Since a user needs to go to a hot wallet website to download the wallet app installer, attackers could use one of the two kinds of methods to trick users into downloading malicious apps or giving up their private keys:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Typosquatting: <\/strong>Attackers purchase domains that contain commonly mistyped characters.<\/li><li><strong>Soundsquatting: <\/strong>Attackers purchase domains with names that sound like legitimate websites.<\/li><\/ul>\n\n\n\n<p>The screenshot below shows a spoofed MetaMask website. While the domain contains the word \u201cMetaMask,\u201d it has an additional one (\u201csuspend\u201d) at the beginning that users might not notice. This could easily trick a user into entering their private keys to supposedly import their existing wallet, leading to the theft of their funds instead.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"410\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig8-metamask-phishing-website.png\" alt=\"Screenshot of a web browser window displaying a phishing website's &quot;Import Wallet&quot; page.\" class=\"wp-image-114219\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig8-metamask-phishing-website.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig8-metamask-phishing-website-300x154.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig8-metamask-phishing-website-768x394.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 8. Screenshot of a MetaMask phishing website<\/figcaption><\/figure>\n\n\n\n<p>Phishing websites may even land at the top of search engine results as sponsored ads. In February 2022, we observed such ads for spoofed websites of the cryptocurrency platform StrongBlock. The topmost fake website\u2019s domain appeared as \u201cstrongsblock\u201d (with an additional \u201cs\u201d) and had been related to phishing scams attempting to steal private keys. Note that these ads no longer appear in the search results as of this writing. It\u2019s common practice for internet search engines (such as Google and Edge) to regularly review and remove ad results that are found to be possible phishing attempts.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"644\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig9-sponsored-ads-for-phishing-websites.png\" alt=\"Screenshot of search results related to &quot;strongblock&quot;. The three sponsored ads at the top of the page are phishing websites and are highlighted with red boxes. The result that points to the legitimate website is highlighted with a blue box.\" class=\"wp-image-114222\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig9-sponsored-ads-for-phishing-websites.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig9-sponsored-ads-for-phishing-websites-300x242.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig9-sponsored-ads-for-phishing-websites-768x618.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 9. Sponsored ads for phishing websites (highlighted in red boxes from a screenshot taken on February 11, 2022) being pushed on top of browser search results, which can trick users into clicking them<\/figcaption><\/figure>\n\n\n\n<p>Some spoofed wallet websites also host fake wallet apps that trick users into installing them. Figure 10 shows an example of a fake wallet app that even mimics the icon of the legitimate one. Like phishing websites, the fake apps\u2019 goal is to trick users into providing sensitive wallet data.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"451\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig10-fake-wallet-application.png\" alt=\"Screenshots of a smartphone's home screen with icons and the loading page of the fake wallet app.\" class=\"wp-image-114225\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig10-fake-wallet-application.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig10-fake-wallet-application-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig10-fake-wallet-application-768x433.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig10-fake-wallet-application-767x431.png 767w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig10-fake-wallet-application-539x303.png 539w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 10. Fake wallet application installed on an Android device. While its icon has the same color of the brand mascot as the legitimate app (left), its loading page displays a different mascot color instead (right).<\/figcaption><\/figure>\n\n\n\n<p>Apart from credential-based phishing tactics in websites and apps, Microsoft security researchers also noted a technique called \u201cice phishing,\u201d which doesn\u2019t involve stealing keys. Rather, it attempts to trick users into signing a transaction that delegates approval of the target user\u2019s tokens to an attacker. More information about ice phishing can be found in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/02\/16\/ice-phishing-on-the-blockchain\/\">this blog<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"scams\">Scams and other social engineering tactics<\/h4>\n\n\n\n<p>Cryptocurrency-related scams typically attempt to lure victims into sending funds of their own volition. One such scam we\u2019ve seen uses prominent social media personalities who seemingly endorse a particular platform. The scammers promise to \u201cdonate\u201d funds to participants who send coins to a listed wallet address. Unfortunately, these promises are never fulfilled.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"415\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig11-scam-related-promotional-videos.png\" alt=\"Screen capture of an online video promoting a website and QR codes (redacted) that point to Bitcoin and Ethereum wallets.\" class=\"wp-image-114228\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig11-scam-related-promotional-videos.png 799w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig11-scam-related-promotional-videos-300x156.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig11-scam-related-promotional-videos-768x399.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><figcaption>Figure 11. Prominent social media personalities inserted in scam-related promotional videos<\/figcaption><\/figure>\n\n\n\n<p>Social media content creators are also becoming the targets of scam emails. The email messages attempt to trick targets into downloading and executing cryware on their devices by purporting promotional offers and partnership contracts.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"724\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig12-sample-scam-email.png\" alt=\"Screenshot of an email message about &quot;Promotional offer and partnerships&quot;.\" class=\"wp-image-114231\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig12-sample-scam-email.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig12-sample-scam-email-300x272.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig12-sample-scam-email-768x695.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 12. Legitimate looking scam email prompting the user to download and execute a malicious file<\/figcaption><\/figure>\n\n\n\n<p>In such cases, the downloaded or attached cryware masquerades as a document or a video file using a double extension (for example, <em>.txt.exe<\/em>) and a spoofed icon. Thus, target users who might be distracted by the message content might also forget to check if the downloaded file is malicious or not.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"309\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig13-scr-file-masquerading-as-doc.png\" alt=\"Partial screenshot of Windows Explorer showing a document file &quot;contract.doc&quot;. The Command Prompt screenshot beside the first one shows the file actually has a hidden .scr extension.\" class=\"wp-image-114234\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig13-scr-file-masquerading-as-doc.png 801w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig13-scr-file-masquerading-as-doc-300x116.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig13-scr-file-masquerading-as-doc-768x296.png 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><figcaption>Figure 13. Executable screensaver (.scr) file masquerading as a Word document (.doc) file<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Defending against cryware<\/h2>\n\n\n\n<p>Cryptocurrency crime has been reported to have <a href=\"https:\/\/www.reuters.com\/markets\/us\/cryptocurrency-crime-2021-hits-all-time-high-value-chainalysis-2022-01-06\/\">reached an all-time high in 2021<\/a>, with over USD10 billion worth of cryptocurrencies stored in wallets associated with ransomware and cryptocurrency theft. This shows that just as large cryptocurrency-related entities get attacked, individual consumers and investors are not spared. &nbsp;<\/p>\n\n\n\n<p>Cryptocurrency trading can be an exciting and beneficial practice, but given the various attack surfaces cryware threats leverage, users and organizations must note the multiple ways they can protect themselves and their wallets. They should have a security solution that provides multiple layers of dynamic protection technologies\u2014including machine learning-based protection.<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/microsoft-defender-antivirus-windows?view=o365-worldwide\">Microsoft Defender Antivirus<\/a> offers such protection. Its endpoint protection capabilities detect and block many cryware, cryptojackers, and other cryptocurrency-related threats. Meanwhile, <a href=\"https:\/\/docs.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen\">Microsoft Defender SmartScreen<\/a> in Microsoft Edge and other web browsers that support it blocks phishing sites and prevents downloading of fake apps and other malware. Signals from these solutions, along with threat data from other domains, feed into <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/microsoft-365-defender\">Microsoft 365 Defender<\/a>, which provides organizations with comprehensive and coordinated threat defense and is backed by a global network of security experts who monitor the continuously evolving threat landscape for new and emerging attacker tools and techniques.<\/p>\n\n\n\n<p>Users and organizations can also take the following steps to defend against cryware and other hot wallet attacks:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Lock hot wallets when not actively trading.<\/strong> This feature in most wallet applications can prevent attackers from creating transactions without the user\u2019s knowledge.<\/li><li><strong>Disconnect sites connected to the wallet. <\/strong>When a user isn\u2019t actively doing a transaction on a decentralized finance (DeFi) platform, a hot wallet\u2019s disconnect feature ensures that the website or app won\u2019t interact with the user\u2019s wallet without their knowledge.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"955\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig14-wallet-apps-connected-sites.png\" alt=\"Screenshot of a wallet app's UI with &quot;Connected sites&quot; option highlighted.\" class=\"wp-image-114237\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig14-wallet-apps-connected-sites.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig14-wallet-apps-connected-sites-251x300.png 251w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/fig14-wallet-apps-connected-sites-768x917.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 14. Some wallet apps allow users to disconnect from sites that they interacted with<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Refrain from storing private keys in plaintext.<\/strong> Never store seed phrases on the device or cloud storage services. Instead, write them down on paper (or something equivalent) and properly secure them.<\/li><li><strong>Be attentive when copying and pasting information.<\/strong> When copying a wallet address for a transaction, double-check if the value of the address is indeed the one indicated on the wallet.<\/li><li><strong>Ensure that browser sessions are terminated after every transaction. <\/strong>To minimize the risk of cryware process dumpers, properly close or restart the browser\u2019s processesafterimporting keys. This ensures that the private key doesn\u2019t remain in the browser process\u2019s memory.<\/li><li><strong>Consider using wallets that implement multifactor authentication (MFA). <\/strong>This prevents attackers from logging into wallet applications without another layer of authentication.<\/li><li><strong>Be wary of links to wallet websites and applications<\/strong>. Phishing websites often make substantial efforts to appear legitimate, so users must be careful when clicking links in emails and messaging apps. Consider manually typing or searching for the website instead and ensure that their domains are typed correctly to avoid phishing sites that leverage typosquatting and soundsquatting.<\/li><li><strong>Double-check hot wallet transactions and approvals.<\/strong> Ensure that the contract that needs approval is indeed the one initiated.<\/li><li><strong>Never share private keys or seed phrases<\/strong>. Under no circumstances will a third party or even the wallet app developers need these types of sensitive information.<\/li><li><strong>Use a hardware wallet unless it needs to be actively connected to a device. <\/strong>Hardware wallets store private keys offline.<\/li><li><strong>Reveal file extensions of downloaded and saved files. <\/strong>On Windows,turn on <strong>File Name Extensions<\/strong> under <strong>View<\/strong> on file explorer to see the actual extensions of the files on a device.<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\">Learn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><em><strong>Berman Enconado <\/strong>and <strong>Laurie Kirk<\/strong><br>Microsoft 365 Defender Research Team<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Microsoft 365 Defender detections<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Microsoft Defender Antivirus<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:Win32\/Azorult.RMA!MTB&amp;ThreatID=2147795132\">Trojan:Win32\/Azorult.RMA!MTB<\/a><\/li><li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=PWS:MSIL\/RedLine.GG!MTB&amp;ThreatID=2147772078\">PWS:MSIL\/RedLine.GG!MTB<\/a><\/li><li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:Win32\/ArkeiStealer.DB!MTB&amp;ThreatID=2147786456\">Trojan:Win32\/ArkeiStealer.DB!MTB<\/a><\/li><li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:Win32\/Raccoon.AD!MTB&amp;ThreatID=2147798255\">Trojan:Win32\/Raccoon.AD!MTB<\/a><\/li><li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:AndroidOS\/FakeWallet.A!MTB\">Trojan:AndroidOS\/FakeWallet.A!MTB<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The rise in cryptocurrency market capitalization paved the way to the emergence of threats Microsoft security researchers are referring to as \u201ccryware\u201d\u2014information stealers focused on gathering and exfiltrating data from non-custodial cryptocurrency wallets.<\/p>\n","protected":false},"author":150,"featured_media":114243,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3727,3738],"tags":[3750,3920,3802,3809],"coauthors":[3380],"class_list":["post-114192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-attacker-techniques-tools-and-infrastructure","threat-intelligence-threat-actors","tag-cryptocurrency-mining","tag-cryptojacking","tag-ransomware","tag-security-strategies"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"The rise in cryptocurrency market capitalization paved the way to the emergence of threats Microsoft security researchers are referring to as \u201ccryware\u201d\u2014information stealers focused on gathering and exfiltrating data from non-custodial cryptocurrency wallets.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-17T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-13T15:28:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks\",\"datePublished\":\"2022-05-17T16:00:00+00:00\",\"dateModified\":\"2023-10-13T15:28:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/\"},\"wordCount\":3509,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg\",\"keywords\":[\"Cryptocurrency mining\",\"Cryptojacking\",\"Ransomware\",\"Security strategies\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/\",\"name\":\"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg\",\"datePublished\":\"2022-05-17T16:00:00+00:00\",\"dateModified\":\"2023-10-13T15:28:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg\",\"width\":1200,\"height\":800,\"caption\":\"Two people in the subway looking at a mobile device.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/","og_locale":"en_US","og_type":"article","og_title":"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks | Microsoft Security Blog","og_description":"The rise in cryptocurrency market capitalization paved the way to the emergence of threats Microsoft security researchers are referring to as \u201ccryware\u201d\u2014information stealers focused on gathering and exfiltrating data from non-custodial cryptocurrency wallets.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-05-17T16:00:00+00:00","article_modified_time":"2023-10-13T15:28:37+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg","type":"image\/jpeg"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks","datePublished":"2022-05-17T16:00:00+00:00","dateModified":"2023-10-13T15:28:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/"},"wordCount":3509,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg","keywords":["Cryptocurrency mining","Cryptojacking","Ransomware","Security strategies"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/","name":"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg","datePublished":"2022-05-17T16:00:00+00:00","dateModified":"2023-10-13T15:28:37+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/05\/hot-wallets-featured-image.jpg","width":1200,"height":800,"caption":"Two people in the subway looking at a mobile device."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/17\/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"In hot pursuit of \u2018cryware\u2019: Defending hot wallets from attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/114192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=114192"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/114192\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/114243"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=114192"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=114192"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=114192"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=114192"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=114192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=114192"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=114192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}