Microsoft Identifies New Malware That Targets Cryptocurrency Hot Wallets

Photo of a Woman Using Her Crypto Wallet

Amidst an increase in cyberattacks targeting digital assets on the blockchain, the Microsoft Defender 365 Research Team has identified an emerging threat to cryptocurrency users, dubbed “Cryware.”

Cybercriminals are leveraging the new Cryware attack vector to transfer financial assets from hot wallets to their accounts — an act that is irreversible on the blockchain. A chart published by the Microsoft team shows a sharp rise in Cryware attacks in December 2021.

What Is “Cryware”?

According to Microsoft researchers, Cryware attacks may involve the use of “regexes” to identify vulnerable hot wallet data such as private keys, seed phrases, and wallet addresses — all of which are fundamental to access a hot wallet.

Once attackers locate sensitive wallet data, they may use one or a combination of various techniques to acquire bits and pieces of a user’s hot wallet information. These techniques include memory dumping, clipping and switching, phishing, and social engineering.

In one scenario, the Microsoft team revealed that attackers can use Cryware to swap a user’s wallet address with the attacker’s address by stealthily modifying the contents of the clipboard when the user copies their hot wallet address.

Compared to other forms of cryptocurrency cyberattacks, such as cryptojacking, Cryware is a multi-pronged attack on cryptocurrency hot wallets, the report states.

However, some security researchers argue that these types of attacks are not new and Microsoft is simply trying to create a new malware classification.

“Microsoft is now calling info-stealers that target cryptocurrency wallets….cryware!” online security researcher Lawrence Abrams tweeted.

“Please stop making up new malware classifications. It’s confusing enough for many as it is,” he added.

What Are Hot Wallets?

Hot wallets are virtual wallets that can be used to buy, sell, and store digital assets like cryptocurrency and Non-fungible Tokens (NFTs). They can be downloaded as a program like Exodus or a browser extension like MetaMask. A hot wallet is user-controlled, meaning that it is “non-custodial.” Wallets offered by coin exchanges like Coinbase are “custodial” wallets.

Cyberattacks targeting vulnerable hot wallets have been on the rise since the beginning of this year, the Microsoft report notes. Unlike a “cold wallet” — which is offline and can be stored on physical devices like the Nano Ledger — a hot wallet is a software that is constantly connected to the internet. As such, hot wallets are more vulnerable to cyber threats like Cryware.

Blockchain Cybercrime Is Rampant and Versatile

Whether the cybersecurity community considers Cryware to be an emerging threat or otherwise, it is clear that cybercrime is rampant on the blockchain and billions of dollars have been lost due to various cryptocurrency cyberattacks and scams. Information-stealing malware like Cryware and Panda Stealer pose a serious threat to not only cryptocurrency users, but to other online communities.

In February 2021, multiple information “stealers” and “miners” were combined in mega malware campaigns targeting Discord users. In March this year, over $600 million worth of cryptocurrency was stolen from the Ronin Network in one of the largest blockchain hacking incidents to date.

How to Defend Against Cryware Attacks

According to the Microsoft team, Microsoft’s Defender Antivirus and Microsoft Defender SmartScreen can recognize and block Cryware. The researchers noted that the best defense against cyberattacks targeting hot wallets is to secure the following critical access points;

  • Private key
  • Seed phrase
  • Public key
  • Wallet password

Phishing is one of the most popular techniques hackers employ to gain access to and steal assets from the wallets of cryptocurrency users. Check out this article to learn about how to protect your digital assets from phishing attacks.

We recommend writing your private wallet information on paper and storing it somewhere safe. Our guide to buying and selling Bitcoin contains some more valuable tips on how to safeguard your digital assets.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at, while in his free time he likes to work on documentary projects, read about sociology and write about world events.