Password-stealing malware is being spread through NFT airdrops claiming to be Solana Phantom security upgrades, when in fact it is password-stealing malware.
Unknown hackers have been airdropping tokens (NFTs), to Solana crypto users, in the guise of a upcoming Phantom wallet security upgrade. It’s actually malware that aims to steal their crypto.
According to BleepingComputer, hackers claim to be part of the Phantom team. They are using NFTS titled UPDATEPHANTOM.COM and PHANTOMUPDATE.COM.
After opening the NFT users are informed that a new security update for the Phantom wallet has been issued. You can download it by clicking the attached link or visiting the listed website.
The message adds urgency by warning that failure to download the security update may result in funds being lost due to hackers exploiting the Solana network.
The urgency is likely to be related to the Solana wallet hack that saw $8 million stolen from roughly 8,000 wallets, including Phantom wallet users. Later, the security exploit was linked to vulnerabilities in Solana’s Web3 wallet service Slope.
If a victim follows the Phantom update instructions, malware is downloaded from GitHub. This malware attempts to steal the user’s browser history, cookies, passwords and SSH keys.
It is recommended that users who have fallen for this scam inadvertently take security precautions, such as scanning their computers with antivirus software, protecting crypto assets, and changing passwords on highly sensitive platforms like bank accounts or crypto trading platforms.
Similar malware-spreading campaigns used malware, dubbed Mars Stealer, to steal crypto from unsuspecting victims.
Mars Stealer is an upgrade to the Oski trojan, which steals information from browser-based crypto wallets. It also targets popular two-factor authentication (2FA), extensions and a graber function that steals private keys.