CRITICAL WARNING: ’Torg Grabber’ Malware Actively Targeting 728 Crypto Wallets in Live Attack Campaign

A dangerous new malware-as-a-service operation is actively stealing seed phrases and private keys from self-custody crypto users, with researchers warning that the 'Torg Grabber' infostealer has already compromised hundreds of browser wallet extensions through encrypted channels that evade standard detection. The live threat, documented by Gen Digital after analyzing 334 samples over three months, specifically scans 850 browser extensions—targeting 728 cryptocurrency wallets—and exfiltrates critical security data before most endpoint tools can register the breach, exposing users who rely on browser-based wallets as the primary vulnerability surface in what security experts describe as an ongoing, sophisticated attack campaign.

The Mechanism: How Torg Grabber Malware Executes the Attack On Crypto Wallets

The infection chain opens with a dropper disguised as GAPI_Update.exe — a 60 MB InnoSetup package distributed from Dropbox infrastructure. It extracts three benign DLLs into %LOCALAPPDATA%\Connector\ to establish a clean-looking footprint, then launches a fake Windows Security Update progress bar running for exactly, complete with animated ASCII art compiled via csc.exe. The delay is deliberate: it creates a plausible installation window while the payload deploys.

The final executable drops under randomized names — v4jkqh.exe, hkjpy08.exe, ln3dkgz.exe — into C:\Windows\ across documented samples. One captured 13 MB instance spawned dllhost.exe and attempted to disable Event Tracing for Windows before behavioral detection terminated it mid-execution.

Post-deployment, Torg Grabber targets 25 Chromium browsers, 8 Firefox variants, Discord, Steam, Telegram, VPN clients, FTP clients, email clients, and password managers in addition to crypto wallets. Data is archived to an in-memory ZIP or streamed in chunks. Exfiltration routes through Cloudflare endpoints using per-request HMAC-SHA256 X-Auth-Token headers and ChaCha20 encryption — a production-grade architecture, not improvised tooling.

CRYPTO THEFT MALWARE: New “Torg Grabber” infostealer targets 728 cryptocurrency wallets.

The malware is designed to harvest wallet data and enable theft of digital assets.

Crypto wallets remain a primary target for financially motivated attackers.

Gen Digital’s analysis identified over 40 operator tags embedded in binaries: nicknames, date-encoded batch IDs, and Telegram user IDs linking eight operators to the Russian cybercrime ecosystem. The MaaS model means individual operators can deploy custom shellcode post-registration, expanding the attack surface beyond the base configuration. As Gen Digital researchers described it, Torg Grabber evolved from Telegram dead drops to “a production-grade REST API that worked like a Swiss watch dipped in poison.”

The Self-Custody Signal: What 728 Wallets Actually Means

728 is not an arbitrary number. It represents a deliberate configuration sweep, every major browser-based wallet with measurable installation volume. MetaMask alone has over 30 million monthly active users. The extension-targeting logic means Torg Grabber does not need to find a specific victim; it harvests whatever wallet credentials are present on any infected machine.

The broader risk bifurcates cleanly. Self-custody users storing seed phrases in browser storage, text files, or password managers face complete wallet compromise on a single infection. Exchange-held assets are not directly exposed to this specific attack vector, the malware targets local credential stores, not exchange APIs at scale. But session token theft from browser storage can expose connected exchange accounts if login sessions are active.

If Torg Grabber’s MaaS operator base expands, and Gen Digital’s monitoring of its REST API infrastructure suggests active iteration, the wallet targeting list will grow. The 728 figure is a current snapshot, not a ceiling. Comparable infostealers like Vidar and RedLine normalized this model years ago; Torg Grabber is executing the same playbook with more structured infrastructure.