Malware Alert: Mars Stealer Attacks Crypto Wallets and 2FAs

Mars Stealer steals data from browser-based crypto wallets and 2FA plugins.

mars stealer malware crypto wallets

New dangerous malware is targeting browser-based cryptocurrency wallets. The malicious software, called Mars Stealer, is capable of stealing private keys and logins to 2-Factor Authenticator (2FAs) plugins. 

Its targets include widely used browser-based cryptocurrency wallets like MetaMask, Coinbase Wallet, Nifty Wallet, Ronin Wallet, MEW CX, Binance Chain Wallet,  TronLink and approximately 40 others. 

Credential Stealing Malware

Mars Stealer is an updated version of Oski Stealer, the malware that first appeared back in 2019 and was used to steal personal and sensitive information later offered for sale on Russian underground hacking forums, as reported by programmer and malware analyst 3xp0rt.


The malicious software operates by extracting content and information from infected devices. It uses special techniques to collect information from the memory of browser extensions, cryptocurrency wallets, and 2FAs. 

Being a lightweight malware at only 95kb in size, Mars Stealer does not strain the infected operating system, and thus does not emit any of the typical signs of compromise. Additionally, the malware has the ability to remove itself once it has extracted the necessary data. 

The new malware targets most popular web browsers, including Chrome (V80), Microsoft Edge (Chromium Version), Internet Explorer, Opera (Stable, GX, Neon), Firefox, Brave, Thunderbird, TorBro Browser, SputnikBrowser, and many more. Only the Apple-developed Safari OS has evaded being on the target list, at least so far.


According to the expert, dozens of crypto extensions and wallets, such as Bitcoin Core, Atomic, Binance, Coinomi, Ethereum, Electrum, Electron Cash, Exodus, JAXX, and MultiDoge, are also vulnerable to attacks by the Mars Stealer.

Furthermore, the malware also targets 2FA plugins. The expert named Authenticator, Authy, EOS Authenticator, GAuth Authenticator, and Trezor Password Manager as the main targets.

Mars Stealer also threatens the ability to obtain additional information like a user’s IP address, country, time zone, keyboard layout, installed software, usernames, and more.  

Hints Lead to Russia

Although there is no direct proof that Mars Stealer is some kind of a “Russian export,” there are several factors that hint that the malware might have originated there.

The malware is an updated version of Oski Stealer, which appeared to be of Russian origin and was sold over Russian-speaking hacker forums.

The promotion of Mars Stealer seemingly also started on such Russian forums last year. Currently, the private key stealing malware is being sold for around $140 on hacker forums. 

Users Must Stay Cautious

How the malware ends up being distributed depends on hackers’ imagination. However, common methods include spreading it via shady download channels, unofficial file-hosting, and P2P sharing websites.

The fraudsters may also invoke the use of spam campaigns, spreading hundreds of thousands of emails with infected links or attached files.

To minimize the risk of malware infection, cybersecurity experts advise regularly updating apps and software. It is also important not to use unofficial or unverified web sources, and not to open suspicious emails, links, or attachments.

It should go without saying that cryptocurrency users should never share their private key data with anyone, and be especially wary of any pop-ups asking for such info. To maximize the secure storage of digital assets, experts advise considering the usage of cold-storage cryptocurrency wallets.

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Simona Ram

Simona Ram is a senior journalist at DailyCoin, based in Lithuania, who covers the forces and people shaping the Web3 industry and the areas where decentralized crypto assets meet the centralized world. She has experience in business communication within the financial sphere and has a degree in Foreign Languages, which helps her interact effectively with sources from diverse backgrounds. In her free time, Simona enjoys exploring new cultures.