Understanding recent credential leaks and the rise of InfoStealer malware

Opinion by: Jimmy Su, Binance chief security officer

The threat of InfoStealer malware is on the rise, targeting people and organizations across digital finance and far beyond. InfoStealers are a category of malware designed to extract sensitive data from infected devices without the victim’s knowledge. This includes passwords, session cookies, crypto wallet details and other valuable personal information.

According to Kaspersky, these malware campaigns leaked over 2 million bank card details last year. And that number is only growing.

These tools are widely available via the malware-as-a-service model. Cybercriminals can access advanced malware platforms that offer dashboards, technical support and automatic data exfiltration to command-and-control servers for a subscription fee. Once stolen, data is sold on dark web forums, Telegram channels or private marketplaces.

The damage from an InfoStealer infection can go far beyond a single compromised account. Leaked credentials can lead to identity theft, financial fraud and unauthorized access to other services, especially when credentials are reused across platforms.

Recent: Darkweb actors claim to have over 100K of Gemini, Binance user info

Binance’s internal data echoes this trend. In the past few months, we’ve identified a significant uptick in the number of users whose credentials or session data appear to have been compromised by InfoStealer infections. These infections don’t originate from Binance but affect personal devices where credentials are saved in browsers or auto-filled into websites.

InfoStealer malware is often distributed via phishing campaigns, malicious ads, trojan software or fake browser extensions. Once on a device, it scans for stored credentials and transmits them to the attacker.

The common distribution vectors include:

• Phishing emails with malicious attachments or links.

• Fake downloads or software from unofficial app stores.

• Game mods and cracked applications are shared via Discord or Telegram.

• Malicious browser extensions or add-ons.

• Compromised websites that silently install malware (drive-by downloads).

Once active, InfoStealers can extract browser-stored passwords, autofill entries, clipboard data (including crypto wallet addresses) and even session tokens that allow attackers to impersonate users without knowing their login credentials.

Some signs that might suggest an InfoStealer infection on your device:

• Unusual notifications or extensions appearing in your browser.

• Unauthorized login alerts or unusual account activity.

• Unexpected changes to security settings or passwords.

• Sudden slowdowns in system performance.

Over the past 90 days, Binance has observed several prominent InfoStealer malware variants targeting Windows and macOS users. RedLine, LummaC2, Vidar and AsyncRAT have been particularly prevalent for Windows users. 

• RedLine Stealer is known for gathering login credentials and crypto-related information from browsers.

• LummaC2 is a rapidly evolving threat with integrated techniques to bypass modern browser protections such as app-bound encryption. It can now steal cookies and crypto wallet details in real-time.

• Vidar Stealer focuses on exfiltrating data from browsers and local applications, with a notable ability to capture crypto wallet credentials.

• AsyncRAT enables attackers to monitor victims remotely by logging keystrokes, capturing screenshots and deploying additional payloads. Recently, cybercriminals have repurposed AsyncRAT for crypto-related attacks, harvesting credentials and system data from compromised Windows machines.

For macOS users, Atomic Stealer has emerged as a significant threat. This stealer can extract infected devices’ credentials, browser data and cryptocurrency wallet information. Distributed via stealer-as-a-service channels, Atomic Stealer exploits native AppleScript for data collection, posing a substantial risk to individual users and organizations using macOS. Other notable variants targeting macOS include Poseidon and Banshee.

At Binance, we respond to these threats by monitoring dark web marketplaces and forums for leaked user data, alerting affected users, initiating password resets, revoking compromised sessions and offering clear guidance on device security and malware removal.

Our infrastructure remains secure, but credential theft from infected personal devices is an external risk we all face. This makes user education and cyber hygiene more critical than ever.

We urge users and the crypto community to be vigilant to prevent these threats by using antivirus and anti-malware tools and running regular scans. Some reputable free tools include Malwarebytes, Bitdefender, Kaspersky, McAfee, Norton, Avast and Windows Defender. For macOS users, consider using the Objective-See suite of anti-malware tools. 

Lite scans typically don’t work well since most malware self-deletes the first-stage files from the initial infection. Always run a full disk scan to ensure thorough protection.

Here are some practical steps you can take to reduce your exposure to this and many other cybersecurity threats:

• Enable two-factor authentication (2FA) using an authenticator app or hardware key.

• Avoid saving passwords in your browser. Consider using a dedicated password manager.

• Download software and apps only from official sources.

• Keep your operating system, browser and all applications up to date.

• Periodically review authorized devices in your Binance account and remove unfamiliar entries.

• Use withdrawal address whitelisting to limit where funds can be sent.

• Avoid using public or unsecured WiFi networks when accessing sensitive accounts.

• Use unique credentials for each account and update them regularly.

• Follow security updates and best practices from Binance and other trusted sources.

• Immediately change passwords, lock accounts and report through official Binance support channels if malware infection is suspected.

The growing prominence of the InfoStealer threat is a reminder of how advanced and widespread cyberattacks have become. While Binance continues to invest heavily in platform security and dark web monitoring, protecting your funds and personal data requires action on both sides.

Stay informed, adopt security habits and maintain clean devices to significantly reduce your exposure to threats like InfoStealer malware.

Opinion by: Jimmy Su, Binance chief security officer.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.