Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.
Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.

A new ransomware attack is going after cryptocurrency wallets, along with account credentials from other applications such as NordVPN, Telegram, Discord and Steam.

Dubbed “Panda,” the new information-stealing malware (also called infostealer for short) was discovered by Trend Micro, a cybersecurity software company. 

“Crypto wallets are now as big of a target for online theft as banking accounts are,” said the Trend Micro researchers who discovered the attack. “With more people getting into cryptocurrencies and the values of said cryptocurrencies still increasing, this will only become a greater threat moving forward.”

They also said there is more risk here because unlike with a bank robbery or credit card theft, there may not be a central authority that can undo malicious transactions. Once you lose your money and the transaction goes on the blockchain, it's likely gone forever.

The malware attack

At a high level, according to the researchers, the attack begins with spam messages that contain a malicious attachment. The attachment uses PowerShell scripts, a task automation and configuration management coding language Microsoft, to download the actual Panda Stealer malware (in encoded form), which is then loaded without files onto the affected system.

“None of this is particularly novel in and of itself – malicious Office documents are well known, so is fileless loading,” the researchers said. “The main 'new' aspect here is the target of the data theft.”

Beyond just targeting cryptocurrency wallets with malware, attackers are now setting their sights on applications like Discord and Telegram – popular communications platforms for cryptocurrency communities. 

The attack campaign, which was active in April, uses spam emails and the same rare fileless distribution method as a separate recent attack. Morphisec, another cybersecurity firm, discovered a Phobos ransomware campaign in early April that uses an identical fileless distribution method to Panda, making it more difficult for security tools to spot.

"The fileless distribution used in this case means there is no signature for antivirus software to detect the threat, and it can bypass detection,” said Michael Gorelik, chief technology officer and head of threat intelligence at Morphisec. “Therefore, it's dangerous for both consumers' wallets and even enterprises, with more lines of security set up."

Follow best security practices

The Trend Micro researchers said following long-standing security practices still applies here. Not opening up attachments sent via email, making sure you don’t click on unknown links and keeping software upgraded still are basic security measures people can take to avoid malware and other security breaches. 

Specific to cryptocurrencies, they said the best advice is to secure your cryptocurrency wallets. They weren’t able to give specific recommendations given the wide array of wallets on the market, but recommended using strong, unique passwords. 

“If the wallet you're using offers multifactor authentication (and many do – if anything, they may support multiple methods), use them,” the researchers said.  “For investors who are more interested in holding cryptocurrencies for the long term instead of actively trading them, the use of hardware-based/offline wallets may well be safer, if less convenient to add to or sell from.”


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.