A sophisticated malware campaign targeting cryptocurrency traders has emerged on Reddit, with scammers distributing fake "cracked" versions of TradingView Premium that steal digital assets and sensitive data from unsuspecting users.
Security researchers at Malwarebytes have identified malicious code hidden in counterfeit TradingView downloads being promoted across cryptocurrency subreddits. The scammers promise free access to TradingView's premium charting features while actually delivering dangerous information-stealing malware.
Two distinct types of malware have been detected: Lumma Stealer targeting Windows users and Atomic Stealer (AMOS) affecting Mac users. Lumma Stealer specifically attacks cryptocurrency wallets and two-factor authentication, while AMOS captures sensitive data like passwords and keychain information.
Multiple victims have already reported having their cryptocurrency wallets completely drained after installing the fake software. The attackers then leverage compromised accounts to spread phishing links, expanding their reach.
"What makes this campaign unique is the scammers' high level of engagement," notes Jerome Segura, senior security researcher at Malwarebytes. "They actively help users troubleshoot download issues and answer questions in Reddit threads, creating an appearance of legitimacy."
The malicious files exhibit several suspicious characteristics, including "double zipped" packaging with password protection - unusual for legitimate software. Users are also instructed to disable their security software, a major red flag.
While the attack's full origin remains unclear, researchers traced the hosting website to Dubai and identified a command and control server registered in Russia. The campaign appears part of a broader trend targeting cryptocurrency holders, with blockchain analytics firm Chainalysis estimating $51 billion in illicit transaction volume last year.
Security experts strongly advise only downloading TradingView software from official sources. Users who may have installed suspicious versions should immediately change passwords from a clean device, transfer cryptocurrencies to new wallets, and run malware scans.
The scam's success highlights how criminals continue exploiting users seeking free versions of premium services, particularly in trusted communities like Reddit's cryptocurrency forums.