Malware masquerading as major crypto firms targets over 10m people worldwide

Security firm Check Point warns of a malware named JSCEAL that has been impersonating crypto platforms to lure in millions of victims to steal crypto related data, how does it work?

In a recent blogpost, Check Point Research notified crypto traders of a fairly novel threat online that specifically targets crypto-related data by impersonating approximately 50 crypto platforms, including Binance, MetaMask, eToro, DEX Screener, Monero, Kraken, and many more.

The malware called JSCEAL has been active since March 2024, with limited activity but has evolved into a more complex operation.

“In the campaign’s latest phase, the threat actors acquired a large number of domains and adopted distinctive techniques to evade detection, including sometimes avoiding deploying the final payload,” wrote the security firm.

The malicious software campaign produces crypto firm advertisements to lure in victims. When they click on the ads, they are led to “decoy websites” that direct them to install fake applications”, believing them to be the real crypto platforms used for trading.

In the meantime, the malicious actors infiltrate the victim’s system and steal their crypto-related data.

“During the first half of 2025, threat actors promoted around 35,000 malicious advertisements, which led to a few million views in the EU alone,” wrote Check Point in its blogpost.

According to the security firm’s estimations, each ad was able to reach at least 100 users in the European Union. That means with 35,000 ads, the hackers were able to reach 3.5 million users within the EU alone.

Meanwhile, the firm has not accounted for users outside the EU. Considering that the social media user base worldwide is much larger than the EU’s, the security firms concludes that “the global reach could easily exceed 10 million [people].”

How the JSCEAL malware infiltrate’s user devices

According to the blogpost, the latest version of the malware campaign deploys what is called a “unique anti-evasion methods” which makes it difficult to detect. By using a fake website that directs them to install the malware directly into their devices, the security firm said the double-layered method “significantly complicates analysis and detection efforts.”

JSCEAL uses the programming language JavaScript, as well as what the security firm considers “combination of compiled code and heavy obfuscation.” This way, the victim does not need to trigger the code to make it run.

Moreover, the campaign’s main purpose is to steal information from the infested device and send it to the main hacker’s server. Based on the firm’s analysis, the attackers gather “extensive machine information,” which include location, autocomplete passwords, network details, email information and proxy configuration.

In addition, if the attackers deem the victim to be valuable, they will add an additional code that can download and execute the “final payload” to steal more data and possibly erase any and all traces of the malware from the victim’s system.

However, users can still use anti-malware software to detect malicious executions and stop ongoing attacks on already-infected device.