Gamers at Risk as Fake Roblox Mods Spread Crypto-Stealing Malware

Kaspersky researchers have uncovered Stealka, a sophisticated infostealer masquerading as game mods and pirated software that targets crypto wallets and browser credentials across over 115 extensions.

The malware spreads through trusted platforms, including GitHub, SourceForge, and Softpedia, where attackers create professional-looking fake websites and repositories to distribute the threat under the guise of popular game cheats for titles like Roblox and GTA V.

The discovery marks the latest escalation in a broader pattern of gaming-focused malware campaigns, as cybercriminals increasingly exploit the trust gamers place in modding communities.

Attackers leverage popular search terms and authentic-looking download pages to lure victims, with some sites falsely claiming that virus scans are conducted before downloads, even though no such verification occurs.

The malicious files appear deliberately deceptive; one fake site advertised Half-Life 3 while describing it as “professional software solution designed for Windows,” using popular gaming titles merely as bait to maximize search engine visibility.

Extensive Arsenal Targets Crypto Wallets

According to the security firm, Stealka’s capabilities extend far beyond basic credential theft, targeting data from browsers built on Chromium and Gecko engines, putting over 100 applications, including Chrome, Firefox, Opera, and Edge, at immediate risk.

The malware extracts autofill data, session tokens, and cookies that allow attackers to bypass two-factor authentication and hijack accounts without passwords, while simultaneously targeting 115 browser extensions for crypto wallets, password managers, and authentication services.

High-value targets include crypto wallets such as Binance, Coinbase, MetaMask, Trust Wallet, and Phantom, as well as password managers such as 1Password, Bitwarden, LastPass, and NordPass.

The stealer downloads local configurations from 80 wallet applications, encompassing Bitcoin, Ethereum, Exodus, Monero, and Dogecoin, that may contain encrypted private keys and seed phrase data sufficient to compromise holdings.

Beyond crypto assets, Stealka infiltrates messaging apps like Discord and Telegram, email clients including Outlook and Thunderbird, gaming platforms such as Steam and Roblox launchers, VPN clients like ProtonVPN and Surfshark, and note-taking apps where users often improperly store sensitive information.

The malware additionally harvests system data, installed program lists, hardware specifications, and captures screenshots to maximize intelligence gathering.

Attackers have used compromised accounts to spread the malware further, with Kaspersky discovering the stealer in a GTA V mod posted by a previously hijacked account on a dedicated modding site.

Industry Faces Mounting Security Crisis

The Stealka campaign emerges amid catastrophic industry-wide security failures, as crypto platforms have lost $9.1 billion in 2025 alone, which is 10% of the $90 billion stolen over the past 15 years.

In November, losses exceeded $276 million, pushing the annual total past historical records.

“Crypto is facing a security reckoning,” said Mitchell Amador, CEO of Immunefi, a crowdsourced security platform protecting $180 billion in assets.

“Most hacks this year haven’t occurred due to poor audits—they’ve happened after launch, during protocol upgrades, or through integration vulnerabilities.“

Amador emphasized that 99% of Web3 projects operate without basic firewalls while fewer than 10% deploy modern AI security tools, calling the sector’s approach “willful negligence.“

The human element has become the primary attack surface, with threat actors shifting from code vulnerabilities to operational security breaches as smart contracts become harder to exploit.

“The threat landscape is shifting from on-chain code vulnerabilities to operational security and treasury-level attacks,” Amador explained. “As code hardens, attackers target the human element.”

Kaspersky’s broader research reveals a sustained malware ecosystem, having previously documented the GitVenom campaign involving hundreds of fake GitHub repositories, SparkKitty mobile malware that infiltrated Apple’s App Store and Google Play to steal seed phrase screenshots via OCR, and ClipBanker trojans hidden in fake Microsoft Office downloads.

North Korean threat groups have also escalated tactics by weaponizing blockchain technology itself, embedding malware payloads in smart contracts on the BNB Smart Chain and Ethereum, creating a decentralized command-and-control infrastructure that law enforcement cannot shut down.

For now, Kaspersky recommends users to do the following:

• Deploy reliable antivirus software.
• Avoid storing sensitive credentials in browsers.
• Exercise extreme caution with game cheats and pirated software.
• Enable two-factor authentication with backup codes stored in encrypted password managers rather than text files.
• Refrain from downloading software from untrusted sources despite the convenience they may offer.