Beware of the new type of Crypto Assets malware JSCEAL! It impersonates over 50 mainstream CEX, MetaMask, and other platforms to steal user data, affecting more than 10 million users.

The well-known security agency Check Point has released the latest threat warning, revealing a new type of cryptocurrency malware activity called JSCEAL. This malware impersonates over 50 well-known cryptocurrency trading platforms and wallet services, including mainstream CEXs, MetaMask, and eToro, using fake advertisements to lure users into downloading malicious applications, thereby stealing sensitive data. Attackers employ complex obfuscation techniques and unique anti-detection methods, covering over 3.5 million potential victims in Europe alone, with a global impact potentially exceeding 10 million cryptocurrency users. This article details the JSCEAL attack methods and provides security protection recommendations.

【JSCEAL malware activity overview】 The security research organization Check Point Research recently warned cryptocurrency traders on its blog to be aware of a relatively novel cyber threat. This malware known as JSCEAL has been active since March 2024, initially on a limited scale, but has now evolved into a more complex crypto assets data theft operation. This malware specifically steals sensitive user information related to crypto assets by impersonating well-known crypto platforms (including but not limited to mainstream CEX, MetaMask, eToro, DEX Screener, Monero (Monero ), among approximately 50 others).

[Attack Method: Fake Advertising Bait and Malware] The main operation method of this malware activity is: placing fake Crypto Assets platform advertisements to lure potential victims. When users click on these advertisements, they will be redirected to a carefully designed counterfeit official website (bait site). These websites induce users to download and install malicious programs disguised as legitimate trading applications, making users mistakenly believe they are installing real mainstream CEX, MetaMask, or other platform applications.

【Impact Scope: Tens of millions of users face risks】 Check Point stated: "In the first half of 2025, threat actors launched approximately 35,000 malicious ads, which garnered millions of impressions within the European Union (EU) alone." According to the security company’s estimates, each ad can reach at least 100 users in the EU. This means that with just 35,000 ads, attackers can reach 3.5 million users within the EU. It is worth noting that this data does not yet include users outside the EU. Considering that the global social media user base is much larger than that of the EU, Check Point concludes: "The global potential impact of this malware is likely to easily exceed 10 million people", posing a serious threat to the security of global Crypto Assets investors.

【JSCEAL Technical Details: Complex Concealment and Data Theft】 According to the blog post, the latest version of the malware activity employs unique Anti-Evasion techniques, making it difficult to be detected. Its core method is to use phishing websites to directly guide users to download malicious programs onto their devices, which this dual-layer attack strategy "significantly increases the difficulty of analysis and detection."

• Technical Composition: JSCEAL primarily uses the JavaScript programming language and employs a method that combines compiled code with high-intensity obfuscation technology. This approach allows malicious code to run in the background without the victim's active triggering, increasing the difficulty of Crypto Assets Wallet security protection.
• Target of Theft: The main goal of this activity is to steal information from infected devices and send it to the attacker's server. According to Check Point's analysis, the range of information collected by the attacker is extensive, including:
  • Device location information
  • Passwords saved by the browser (the risk of encryption asset account password leakage is extremely high)
  • Network connection details
  • Email Information
  • Agent Configuration
• Subsequent Attacks: If an attacker believes that a certain victim holds high value (for example, possessing a large amount of Crypto Assets), they will deploy additional code to download and execute the Final Payload. This final payload can steal more data and may wipe all traces of malware from the device, covering up clues related to fake platform identification.

【Crypto Assets User Security Protection Suggestions】 Despite the complex obfuscation techniques used by JSCEAL, users can still detect its malicious behavior by deploying reliable anti-malware solutions and prevent ongoing attacks if the device has been infected. Regularly updating security software and keeping the operating system patches up to date are fundamental to preventing such crypto assets security threats. For devices involved in cryptocurrency operations, it is recommended to conduct specialized security audits.

Conclusion: The JSCEAL malware activity demonstrates a new trend of supply chain attacks targeting Crypto Assets users, with its large-scale operations and strong concealment capabilities posing a severe challenge to personal asset security. Crypto Assets holders and traders must remain vigilant, download applications only through officially verified channels, maintain a high level of skepticism towards online advertisements, and invest in robust security measures to protect your digital asset security and blockchain account privacy. Remember, private key security is the cornerstone of Crypto Assets security, and never input it on unofficial or suspicious platforms.