Beware of ‘cracked’ TradingView — it’s a crypto-stealing trojan

Cybersecurity firm Malwarebytes has warned of a new form of crypto-stealing malware hidden inside a “cracked” version of TradingView Premium, software that provides charting tools for financial markets. 

The scammers are lurking on crypto subreddits, posting links to Windows and Mac installers for “TradingView Premium Cracked,” which is laced with malware aimed at stealing personal data and draining crypto wallets, Jerome Segura, a senior security researcher at Malwarebytes, said in a March 18 blog post.

“We have heard of victims whose crypto wallets had been emptied and were subsequently impersonated by the criminals who sent phishing links to their contacts,” he added.

Fraudsters claim the programs are free and have been cracked directly from their official version, but they are actually riddled with malware. Source: Malwarebytes

As part of the snare, the fraudsters claim the programs are free and have been cracked directly from their official version, unlocking premium features. It actually contains two malware programs, Lumma Stealer and Atomic Stealer.

Lumma Stealer is an information stealer that’s been around since 2022 and primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions. Atomic Stealer was first discovered in April 2023 and is known for its ability to capture data such as administrator and keychain passwords.

Besides “TradingView Premium Cracked,” the scammers have offered other fraudulent trading programs to target crypto traders on Reddit. 

Segura said one of the interesting aspects of the scheme is that the scammer also takes the time to assist users in downloading the malware-ridden software and help resolve any issues with the download.

“What’s interesting with this particular scheme is how involved the original poster is, going through the thread and being ‘helpful’ to users asking questions or reporting an issue,” Segura said.

“While the original post gives a heads-up that you are installing these files at your own risk, further down in the thread, we can read comments from the Original poster.”

In this case, the scammer sticks around to assist users in downloading the malware-ridden software. Source: Malwarebytes

The origin of the malware wasn’t clear, but Malwarebytes found that the website hosting the files belonged to a Dubai cleaning company, and the malware command and control server had been registered by someone in Russia roughly one week ago.

Segura says that cracked software has been prone to containing malware for decades, but the “lure of a free lunch is still very appealing.”

Common red flags to watch out for with these types of scams are instructions to disable security software so the program can run and files that are password-protected, according to Malwarebytes. 

Related: Microsoft warns of new remote access trojan targeting crypto wallets

In this instance, Segura says the “files are double zipped, with the final zip being password protected. For comparison, a legitimate executable would not need to be distributed in such fashion.”

Blockchain analytics firm Chainalysis reported in its 2025 Crypto Crime Report that crypto crime has entered a professionalized era dominated by AI-driven scams, stablecoin laundering, and efficient cyber syndicates. In the past year, the analytics firm estimates there was $51 billion in illicit transaction volume. 

Magazine: Ridiculous ‘Chinese Mint’ crypto scam, Japan dives into stablecoins: Asia Express