Hackers Steal $270,000 in Crypto via Malware-Loaded Phones

Hackers have been selling counterfeit Android smartphones online, preloaded with crypto-stealing malware, according to Kaspersky Labs. These devices, sold at discounted prices, contain the Triada malware, which can hijack messaging apps, monitor browsing activity, and intercept and delete SMS messages. The malware is designed to steal cryptocurrency from unsuspecting victims who purchase these fake phones.

The Triada malware is particularly dangerous because it can operate in the background without the user's knowledge. It can intercept two-factor authentication codes sent via SMS, allowing hackers to gain access to victims' cryptocurrency wallets. Additionally, the malware can monitor browsing activity, potentially exposing sensitive information such as login credentials and private keys.

The sale of these counterfeit phones highlights the growing threat of cybercrime in the cryptocurrency space. As the value of cryptocurrencies continues to rise, so does the incentive for hackers to develop sophisticated malware to steal digital assets. The use of preloaded malware on counterfeit devices is a particularly insidious tactic, as it targets individuals who may be less tech-savvy and more likely to fall for discounted offers.

Dmitry Kalinin, a cybersecurity expert at Kaspersky Labs, noted that the attackers can steal crypto by replacing wallet addresses. The malware has been able to transfer about $270,000 in various cryptocurrencies to their crypto wallets. However, the actual amount may be larger as the attackers also targeted Monero, a cryptocurrency that is untraceable. The malware can also steal user account information and intercept incoming and outgoing texts, including two-factor authentication.

The malware penetrates smartphone firmware even before the phone reaches users, and some online sellers might not even be aware of the ticking time bomb in the device. Kalinin suggested that at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada. At this stage, Kaspersky researchers say they have found 2,600 confirmed infections through this scam in different countries, with the majority of users encountering it in the first three months of 2025.

The Triada malware first surfaced in 2016 and is known for targeting financial applications and messaging apps. It is generally delivered through malicious downloads and phishing campaigns. The best way to avoid falling victim to this scam is to only purchase devices from legitimate distributors and install security solutions immediately after purchase. Other firms have also been raising the alarm over new forms of malware targeting crypto users.

This discovery underscores the importance of vigilance when purchasing electronic devices, especially from unknown or untrusted sources. Users should be cautious of devices sold at significantly discounted prices and should only purchase from reputable retailers. Additionally, it is crucial to use strong, unique passwords and enable two-factor authentication on all cryptocurrency accounts to add an extra layer of security. In response to this threat, users should also consider using hardware wallets to store their cryptocurrency. Hardware wallets are physical devices that store private keys offline, making them less susceptible to malware and hacking attempts. By taking these precautions, users can better protect their digital assets from the growing threat of cybercrime.