Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
Lido Staked Ether 
TRON 
Dogecoin 
Cardano 
Figure Heloc 
WhiteBIT Coin 
Wrapped stETH 
Bitcoin Cash 
Wrapped Bitcoin 
Wrapped Beacon ETH 
USDS 
Chainlink 
Wrapped eETH 
Binance Bridged USDT (BNB Smart Chain) 
LEO Token 
WETH 
Stellar 
Zcash 
Hyperliquid 
Monero 
Ethena USDe 
Coinbase Wrapped BTC 
Litecoin 
Sui 
Avalanche 
Hedera 
Shiba Inu 
sUSDS 
USDT0 
Dai 
Mantle 
Toncoin 
World Liberty Financial 
PayPal USD 
Cronos 
Ethena Staked USDe 
Uniswap 
Polkadot 
Aave 
Bittensor 
MemeCore 
USD1 
Canton 
Rain 
Bitget Token 
OKB 
Tether Gold 
Falcon USD 
NEAR Protocol 
Ethereum Classic 
Aster 
Ethena 
Binance-Peg WETH 
Jito Staked SOL 
Pepe 
BlackRock USD Institutional Digital Liquidity Fund 
Internet Computer 
Pi Network 
Solana 
Jupiter Perpetuals Liquidity Provider Token 
Pump.fun 
Provenance Blockchain 
syrupUSDC 
HTX DAO 
PAX Gold 
Ondo 
Worldcoin 
Global Dollar 
KuCoin 
Circle USYC 
syrupUSDT 
Sky 
BFUSD 
Ripple USD 
Rocket Pool ETH 
Binance Bridged USDC (BNB Smart Chain) 
POL (ex-MATIC) 
Aptos 
Kaspa 
Gate 
Wrapped BNB 
Arbitrum 
Binance Staked SOL 
Kelp DAO Restaked ETH 
Official Trump 
Algorand 
Function FBTC 
Cosmos Hub 
Liquid Staked ETH 
VeChain 
Lombard Staked BTC 
Flare 
Solv Protocol BTC 
NEXO 
Filecoin 
XDC Network 
Midnight 
USDtb 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
OUSG 
Sei 
Render 
Kinetiq Staked HYPE 
WrappedM by M^0 
Bonk 
Janus Henderson Anemoy AAA CLO Fund 
PancakeSwap 
USDD 
Arbitrum Bridged WBTC (Arbitrum One) 
Mantle Staked Ether 
Wrapped Flare 
clBTC 
First Digital USD 
Ondo US Dollar Yield 
Pudgy Penguins 
Ultima 
Polygon Bridged USDC (Polygon PoS) 
Beldex 
USDai 
Renzo Restaked ETH 
Jupiter Staked SOL 
Jupiter 
Story 
Polygon PoS Bridged DAI (Polygon POS) 
Artificial Superintelligence Alliance 
L2 Standard Bridged WETH (Base) 
Morpho 
Optimism 
StakeWise Staked ETH 
MYX Finance 
Dash 
Curve DAO 
Aerodrome Finance 
Usual USD 
tBTC 
SPX6900 
Arbitrum Bridged WETH (Arbitrum One) 
Injective 
Tezos 
Lido DAO 
Virtuals Protocol 
Bridged Wrapped Ether (Pundi AIFX Omnilayer) 
Stacks 
Starknet 
Celestia 
GTETH 
TrueUSD 
cgETH Hashkey Cloud 
Ether.fi 
Spiko EU T-Bills Money Market Fund 
AB 
Marinade Staked SOL 
Telcoin 
Wrapped ApeCoin 
Stader ETHx 
GHO 
FLOKI 
Ether.Fi Liquid ETH 
Kaia 
The Graph 
Merlin Chain 
Mantle Bridged USDT (Mantle) 
Basic Attention 
IOTA 
DoubleZero 
Ethereum Name Service 
Swell Ethereum 
BitTorrent 
sBTC 
USDB 
Trust Wallet 
Coinbase Wrapped Staked ETH 
Steakhouse USDC Morpho Vault 
Bitcoin SV 
dogwifhat 
Sun Token 
Lorenzo Wrapped Bitcoin 
JUST 
Pyth Network 
Conflux 
Avalanche Bridged BTC (Avalanche) 
Fartcoin 
Olympus 
AINFT 
Pendle 
crvUSD 
Binance-Peg Dogecoin 
Decred 
Theta Network 
The Sandbox 
Sonic 
Audiera 
Chiliz 
Helium 
New malware is attacking cryptocurrency users, stealing wallet credentials and financial data by bypassing Chrome’s encryption and monitoring clipboard activity to intercept and redirect transactions.
New Malware Targets Crypto Users, Stealing Wallet Credentials and Financial Data
A newly discovered remote access trojan (RAT) known as StilachiRAT is specifically targeting cryptocurrency users by stealing digital wallet credentials and exfiltrating sensitive data. Microsoft Incident Response researchers detailed the malware’s capabilities in a report published on March 17, 2025, highlighting its focus on compromising Google Chrome users who store cryptocurrency wallet extensions and saved login credentials.
According to Microsoft:
StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser.
The malware scans for 20 different wallet extensions, including Bitget Wallet (formerly Bitkeep), Trust Wallet, Tronlink, Metamask (ethereum), Tokenpocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, Confluxportal, and Plug, allowing attackers to extract digital asset information.
Beyond targeting cryptocurrency wallets, StilachiRAT also steals stored login credentials from Google Chrome by bypassing its encryption mechanisms. The report explains: “StilachiRAT extracts Google Chrome’s encryption_key from the local state file in a user’s directory. However, since the key is encrypted when Chrome is first installed, it uses Windows APIs that rely on current user’s context to decrypt the master key. This allows access to the stored credentials in the password vault.”
This enables attackers to retrieve usernames and passwords associated with financial accounts, further increasing the risk to victims’ digital assets. Additionally, StilachiRAT establishes a command-and-control (C2) connection, allowing remote operators to execute commands, manipulate system processes, and remain persistent even after initial detection.
The malware also continuously monitors clipboard data to extract cryptocurrency keys and sensitive financial information. Microsoft’s report notes:
Clipboard monitoring is continuous, with targeted searches for sensitive information such as passwords, cryptocurrency keys, and potentially personal identifiers.
By scanning for specific patterns linked to cryptocurrency addresses, StilachiRAT can intercept and replace copied wallet addresses, redirecting transactions to an attacker-controlled destination. To mitigate the risk, Microsoft advises users to implement security measures such as enabling Microsoft Defender protections, using secure browsers, and avoiding unverified downloads. As the threat landscape evolves, cybersecurity experts urge crypto holders to stay vigilant against emerging malware designed to exploit digital assets.
