New Malware Exploits Fake Job Ads to Hit Crypto Wallets on Windows, Mac, Linux

Fake job listings are the latest weapon in cybercriminals' arsenal—and they're targeting crypto holders across all major operating systems.

How the attack works

Malicious actors post seemingly legitimate job opportunities across platforms. When applicants click to 'review requirements,' they download malware that scans for cryptocurrency wallets—draining funds before victims even realize they've been hit.

Cross-platform vulnerability

Windows, Mac, and Linux systems are all susceptible. The malware bypasses standard security protocols by masquerading as employment documentation—because who'd suspect a job description?

Stay protected

Verify job postings through official company channels. Never download attachments from unverified sources. Keep wallet software updated—and maybe keep your crypto on hardware wallets until this blows over.

Another day, another exploit—meanwhile traditional finance still can't figure out how to process wire transfers in under three business days.

Victims Tricked into Running Malicious JavaScript File

Victims are tricked into running a malicious JavaScript file written in NodeJS, which avoids detection by traditional signature-based defenses.

Unlike more basic infostealers, ModStealer comes loaded with features designed for stealth and scale.

It targets 56 browser-based crypto wallet extensions, including those on Safari, and is capable of extracting private keys, credentials, configuration files, and certificates.

Clipboard and screen capture tools are also embedded, alongside remote code execution, which can give attackers near-total control of an infected device.

On macOS, the malware uses Apple’s launchctl tool to gain persistence by embedding itself as a LaunchAgent.

From there, it silently monitors activity and sends data to a remote server believed to be hosted in Finland but routed through German infrastructure.

 Fake paid ads

Scam ads are seemingly-real ads on Twitter and Google that advertise fake giveaways and airdrops. Their goal is to trick you into connecting your wallet and signing malicious transactions.

 NEVER use links in paid ads or search results to access airdrops! pic.twitter.com/MoFJbgp345

Researchers believe ModStealer is part of a growing Malware-as-a-Service (MaaS) ecosystem, where advanced malware packages are sold to affiliates who deploy them without needing technical expertise.

This mirrors a wider trend in the cybercrime space: infostealers now dominate Mac malware, with Jamf reporting a 28% surge in such threats in 2025 alone.

The implications for crypto users are especially severe, given the malware’s focus on wallet extensions and sensitive blockchain credentials.

“This isn’t just a Mac issue anymore,” said Mosyle in a statement. “The cross-platform nature of ModStealer, combined with its stealth and MaaS distribution model, represents an evolving threat to developers, traders, and enterprises alike.”

With its focus on evading antivirus systems, the campaign highlights the need for more advanced, behavior-based security solutions.

Investor Loses $3M in Crypto Phishing Scam

As reported, a cryptocurrency investor has fallen victim to a phishing scam, losing $3.05 million in Tether (USDT) after unknowingly signing a malicious blockchain transaction.

The loss, flagged by blockchain analytics platform Lookonchain on Wednesday, underscores the rising threat of phishing attacks targeting digital asset holders.

The attacker exploited a common habit among crypto users: validating only the first and last few characters of a wallet address while ignoring the middle.

Crypto investors lost over $2.2 billion to hacks, scams, and breaches in the first half of 2025, driven largely by wallet compromises and phishing attacks, according to CertiK’s latest security report.

Wallet breaches alone caused $1.7 billion in losses across just 34 incidents, while phishing scams accounted for over $410 million across 132 attacks.