McAfee researchers uncovered a cryptocurrency-stealing malware campaign dubbed Silent Swap targeting holders of XRP, ETH, BTC and other tokens, the cybersecurity firm said July 1.
"Silent Swap represents an extremely sophisticated threat designed to intercept cryptocurrency transactions," the McAfee Advanced Threat Research team said in a report.
The malware targets holders of three of the largest cryptocurrencies by market capitalization — XRP, ETH and BTC — along with other digital assets. Specific infection vectors and the total number of compromised wallets have not yet been disclosed, McAfee said. The firm is continuing to analyze the malware's distribution methods and payload delivery mechanisms.
The campaign comes as threat actors increasingly target crypto holders through sophisticated malware operations. In June, a coordinated law enforcement action known as Operation Endgame disrupted infrastructure powering the Amadey and StealC malware families, leading to the recovery of about 27 million stolen credentials from more than 385,000 compromised systems, according to Europol. The two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone. Amadey was used to gain initial footholds on victim devices, after which StealC harvested credentials, cryptocurrency wallets and other sensitive information for follow-on attacks.
Separately, researchers identified KuinaExtractor, a Rust-based information stealer active since December 2025 that harvests browser data, crypto wallets and credentials for services including Roblox, Steam and Discord. The malware includes a bypass for Chrome's app-bound encryption feature. A new LokiBot campaign has also been observed delivering malware via JavaScript attachments, targeting password managers including 1Password, Enpass and KeePass. In another incident, threat actors exploited a critical vulnerability in SimpleHelp RMM software — CVE-2026-48558 — to deploy Djinn Stealer, a cross-platform infostealer that swept machines for cloud credentials, SSH keys and cryptocurrency wallets.
The Silent Swap discovery shows the evolving threat environment for cryptocurrency holders, where attackers deploy increasingly sophisticated methods to intercept transactions and drain wallets. McAfee urged users to exercise caution with transaction approvals and wallet permissions, and recommended using hardware wallets for storage, verifying transaction details before signing, and regularly auditing wallet permissions. The firm said it will release additional technical details about Silent Swap as its analysis progresses.
This article is for informational purposes only and does not constitute investment advice.