The dangers to cryptocurrency wallets and how to fend them off (part 2)

Next story

Part 2: Diverse threats to hot and cold wallets


In part one of this blog, ESET explored some of the threats surrounding the use of hot wallets; specifically clippers and fake login pages. These threats are particularly lethal due to the fact that hot wallets are always connected to the internet. Here, we continue our overview of the cryptocurrency wallet threat landscape, by taking a look at malware-laced links as another top danger to hot wallet users, along with some security considerations relevant for cold wallet users.


Bad links and more bad links
Have you ever clicked on a link that looked like “” but turned out to be something else? This is called a homoglyph attack. By replacing certain characters in the domain name with ones that, to human eyes, either look similar or identical (but are actually different to computers), phishing operators can craft links that appear to lead to popular websites but actually resolve to malicious sites. ESET telemetry for Q2 2020 showed attackers were focussing on cryptocurrency exchanges, with and being the most targeted domains:


Without a security solution like ESET Internet Security installed on your machine, or short of a detective’s eye for picking up on the character switch – a highly unlikely event – nothing would stop most users from getting phished.

Phishing can also happen via another, very typical path – spam emails attempting to clog inboxes. Clicking on malicious links in these spam messages and potentially giving banking trojans, such as Mekotio, a chance to do damage on PCs is quite unwelcome. Some variants of Mekotio, for example, attempt to steal bitcoins by replacing the bitcoin wallet address in the clipboard.

A keylogger is standard equipment for a lot of malware. Again, if it weren’t for additional protection layers like Banking & Payment Protection, offered as part of the ESET Internet Security solution, typing in wallet addresses via a browser would be at risk from keyloggers.

Before leaving the topic of bad links, if you are still using torrents to download cracked or pirated software and games and then switching over to an exchange to do a little crypto trading, think again. As one more deterrent against the use of torrent sites, malware like KryptoCibule is found on some of these platforms. KryptoCibule tries to hijack cryptocurrency transactions by replacing wallet addresses in the clipboard and exfiltrating any cryptocurrency-related files it finds on the victim’s machine.


Cold wallets: limiting the threats to a physical playing field
As the more well-versed crypto traders are aware, the best way to minimise the dangers that beset the use of hot wallets is to use a cold wallet. Two popular options are Ledger and Trezor. By creating an air gap between your wallet and the internet, the risks take on a predominantly physical outlook.

There is the obvious risk of losing your cold wallet, having it stolen or, less likely but possible, tampering occurring along the supply chain. Then, in the hands of knowledgeable hardware hackers, both Trezor and Ledger have been coaxed to give up the key and recovery phrase.

While using cold wallets decreases numerous cyber risks, the parallel decrease in ease of use can still remain a bit of a sore tooth for some. And our ‘friendly’ malware operators have just the solution to soothe that pain – Google Chrome extensions and Firefox add-ons that integrate your Ledger wallet with the browser. So, back to the world of hot wallets.

“Now you can access wallet functionality directly from your browser, to quickly and easily make cryptocurrency transactions. All you have to do is share your 12/24-word recovery phrase to sign up.” You can easily guess the glib words that these hackers might use to persuade potential victims.

After sharing your recovery phrase, the attackers can quickly clone your hardware wallet and take over your crypto-assets. Total losses for this type of scam exceed $250,000, according to some reports. ESET detects these threats as JS/ExtenBro.CryptoSteal.



1.     Keep your devices updated and always use a reliable security solution, such as ESET Internet Security or ESET Mobile Security, to protect them from the latest threats.

2.     If you’d like to download a cryptocurrency wallet app, first make sure your selected service really does offer a mobile, desktop or online wallet – you can do this by checking the service’s official website.

3.     When downloading mobile wallet apps from Google Play, review the app’s ratings, reviews and number of downloads. Be cautious of newly published apps with positive reviews that seem too good to be true.

4.     Where the option is available, always use multi-factor authentication to protect your wallet accounts with an extra layer of security.

5.     Think twice about where you are sharing your wallet recovery phrase and key.

6.     Type your wallet address, instead of copying and pasting it, and double-check the address before using it.

7.     Determine whether the app provider offers insurance or consumer protection against coin losses.


Considering e-trading? Many of these practices are relevant there too. Have a read about e-trading and the wider use of FinTech apps.