Gamers at Risk as Fake Roblox Mods Spread Crypto-Stealing Malware
Kaspersky has uncovered a malware campaign involving Stealka, an infostealer disguised as Roblox and GTA V mods, which targets crypto wallets and browser credentials across 115 extensions. The malware propagates through platforms such as GitHub, SourceForge, and Softpedia, relying on professional-looking fake websites and repositories advertising game cheats. Some of these fake pages falsely claim to perform virus scans before downloads, though no actual verification takes place.
Stealka targets Chromium- and Gecko-based browsers by extracting autofill data, session tokens, and cookies to bypass two-factor authentication (2FA) and hijack accounts. High-value targets include wallets such as Binance, Coinbase, MetaMask, Trust Wallet, and Phantom, as well as password managers like 1Password, Bitwarden, LastPass, and NordPass. Additionally, it downloads configurations from roughly 80 wallet applications covering Bitcoin, Ethereum, Exodus, Monero, and Dogecoin, potentially exposing private keys and seed phrases.
Beyond browsers, the malware infiltrates applications including Discord, Telegram, Outlook, Thunderbird, Steam, Roblox launchers, ProtonVPN, Surfshark, and note-taking apps while also collecting system data and screenshots. Attackers have used compromised accounts to spread the malware; for instance, a GTA V mod was distributed from a hijacked account on a modding site.
In the broader context of crypto security, platforms lost approximately $9.1 billion in 2025 alone, representing 10% of the $90 billion stolen over 15 years. November losses exceeded $276 million. Mitchell Amador, security leader at Immunefi, warns of a looming security reckoning and urges the adoption of improved firewalls and AI security tools, noting that the human element remains a vulnerability.
Kaspersky advises users to maintain reliable antivirus protection, avoid storing credentials in browsers, exercise caution with game cheats and pirated software, enable 2FA with encrypted backup codes, and refrain from downloading software from untrusted sources.
