ESET Research finds cryptocurrency-stealing trojans on WhatsApp and Telegram
Programs are capable of replacing the wallet address and reading users’ seed phrases
20.03.2023 - 09:45
1048
3 min
0
What’s new? ESET, an antivirus software developer, detected trojans embedded in messengers WhatsApp and Telegram for Android and Windows operating systems. According to ESET, attackers first place Google ads leading to fraudulent YouTube channels, which then redirect users to fake app sites. A downloaded version of the messenger with malware can replace cryptocurrency wallet addresses that victims send in chat messages.
How does the malware work? Some clippers use optical character recognition to extract text from screenshots and steal seed phrases to recover crypto wallets.
Seed phrase as a modern cryptocurrency security standard
Keep the seed phrase as the apple of your eye - that's the advice you can give to anyone starting their journey in cryptocurrencies
Clippers are a type of malware that steals or modifies the contents of the clipboard.
In addition to clippers, ESET also found trojans that allow remote access to victims’ devices using WhatsApp and Telegram for Windows. In some cases, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends a full message to the attacker’s server.
ESET noted that judging by the language used in the apps, the operators are targeting Chinese users. Since Telegram and WhatsApp have been blocked in China for several years, people wishing to use the apps are forced to resort to unofficial ways to install them.
To protect against trojans, ESET experts recommend deleting infected versions of messengers and installing applications only from reliable sources. In addition, it is recommended not to store unencrypted pictures or screenshots with sensitive information on your device.
Earlier, SafeGuard warned about new malware for stealing cryptocurrencies in Telegram. The malware was spread through spam with images and was hidden on the victim’s device as an operating system file. And analysts at Cyble revealed the PennyWise malware, which can steal data from 30 different crypto wallets, including cold ones. The malware is spread under the guise of free mining software, links to which are posted under tutorial videos on YouTube.
Useful material?
Telegram 
Twitter Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Cryptocurrency rates
-
Bitcoin
$61 341
BTC
-1.67%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.08
XRP
-2.09%
-
TRON
$0.160134
TRX
-1.59%
-
Dogecoin
$0.076901
DOGE
-3.29%
-
Zcash
$410.85
ZEC
-2.61%
-
Stellar XLM
$0.188244
XLM
-2.8%
-
Cardano
$0.145456
ADA
-4.16%
-
Polkadot
$3.32
DOT
+5.27%