Styx Stealer: A New Threat to Cryptocurrency Security
Styx Stealer, a newly emerged malware, has been quietly infiltrating Windows-based computers to pilfer cryptocurrency. Identified by cybersecurity firm Check Point Research in April, Styx is a more robust iteration of the earlier Phemodrone Stealer, which first garnered attention in early 2024. This sophisticated malware exploits a now-resolved vulnerability in Windows, enabling it to hijack cryptocurrency transactions and extract sensitive data from compromised systems, including private keys, browser cookies, and autofill data.
While Phemodrone primarily targeted web browsers to siphon crypto from wallets and gather other information, Styx introduces a more alarming threat with its crypto-clipping mechanism. This feature allows the malware to monitor clipboard activity, replacing copied cryptocurrency wallet addresses with those belonging to the attacker. Previously, this technique was utilized by the Phorpiex botnet to commandeer crypto transactions.
A Multi-Blockchain Menace
Check Point Research has revealed that Styx is capable of identifying wallet addresses across nine different blockchains, including Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Ripple (XRP), Litecoin (LTC), Bitcoin Cash (BCH), Stellar (XLM), Dash (DASH), and Neo (NEO). Notably, Chromium- and Gecko-based browsers, as well as data from browser extensions, Telegram, and Discord, are particularly susceptible to this malware.
The builder of Styx Stealer features an autorun capability and a user-friendly graphical interface, simplifying the process for cybercriminals to customize and deploy the malware. Additionally, Styx incorporates basic anti-analysis techniques to obscure its activities. It can terminate processes linked to debugging tools and detect virtual machine environments; upon detection, it initiates self-deletion to avoid exposure.
Available via Telegram
The distribution and sale of Styx are conducted manually through the Telegram account @styxencode and the website styxcrypter[.]com. Check Point Research has also uncovered advertisements and promotional YouTube videos for this malicious software. To date, at least 54 individuals have reportedly sent the Styx developer approximately $5,500 in various cryptocurrencies, including Bitcoin and Litecoin. Unlike its predecessor, which was offered for free, Styx is available via a monthly subscription priced at $150, $400 for three months, or $900 for lifetime access.
While the total amount of cryptocurrency stolen or the extent of systems infected by Styx remains uncertain, the rise of crypto-stealing malware has also been noted on Apple’s MacOS. Earlier this year, antivirus developer Kaspersky reported that malware targeting Bitcoin and Exodus wallets was replacing legitimate software with altered versions.
The increasing profitability of hacks and thefts in the expanding crypto sector has resulted in millions of dollars lost annually. However, some notorious threat actors have opted to cease operations. Notably, last month, Angel Drainer, a malware-as-a-service responsible for over $30 million in thefts, shut down its operations. Similarly, in November, the multi-chain crypto scam service Inferno Drainer also halted its services.