2 Minutes
Immediate Alert for Ethereum and Binance Smart Chain Users
Security researchers at Cisco Talos have identified a North Korean-linked cybercrime campaign that uses a malware family tracked as OtterCookie/BeaverTrail to steal funds and credentials from Ethereum and Binance Smart Chain (BSC) users. The threat actor distributes the malware through a fake crypto application and a malicious npm package, enabling theft of private keys, clipboard contents, screenshots, and browser wallet data such as MetaMask.
How the Attack Works
Attackers typically lure victims with fake job offers or bogus project opportunities. Once a user executes obfuscated JavaScript from an untrusted source, OtterCookie/BeaverTrail installs and harvests sensitive data. Stolen files and credentials are then exfiltrated to attacker-controlled servers. This vector—running unknown or anonymous code on a primary system—remains the main entry point for these wallet-hijacking campaigns.
Immediate Steps for Potential Victims
If you suspect compromise, assume any hot wallets are breached. Transfer remaining funds to secure wallets (preferably a hardware cold wallet), revoke old token approvals, and change passwords. Experts also recommend reinstalling your operating system to remove persistent malware. Monitor clipboard hygiene and avoid pasting private keys or seed phrases.
Prevention and Best Practices
Protect yourself by avoiding execution of unvetted npm packages and anonymous code on your main device. Use hardware wallets for significant holdings, enable multi-factor authentication where possible, and regularly audit token approvals in MetaMask and other wallet extensions. Stay updated with security advisories and trust only verified sources when installing crypto tools.
Leave a Comment