A new threat is emerging from hackers who are disseminating hazardous software to Reddit users who are seeking free trading tools. Malwarebytes, a cybersecurity firm, has reported that scammers have installed malware in phony “cracked” versions of TradingView Premium. This malware has the potential to pilfer personal information and empty crypto wallets. Malwarebytes Senior security researcher Jerome Segura issued the warning in a blog post on March 18.
Victims Lose Crypto, Their Identity Gets Stolen
Segura reported that victims had their crypto wallets depleted and later impersonated by criminals who sent phishing links to their contacts. The attack employs a dual threat, in which two distinct malware programs, Lumma Stealer and Atomic Stealer, collaborate to infiltrate the computers of victims.
Atomic, which began operating in April 2023, targets administrator and keychain credentials, while Lumma has been operational since 2022 and concentrates on cryptocurrency wallets and two-factor authentication browser extensions.
AMOS and Lumma info stealers have recently been distributed via Reddit posts targeting Mac and Windows users in the crypto space, draining their wallets and stealing personal data. One of the common lures is a cracked version of the popular trading platform TradingView.
— Malwarebytes (@Malwarebytes) March 19, 2025
Scammers Act Helpful While Spreading Malware
The manner in which the perpetrators interact with potential victims is what distinguishes this scam. The fraudsters are present on cryptocurrency subreddits, where they post links to what they claim are free “cracked” versions of premium financial graphing software for both Windows and Mac.
Segura observed in the blog post that the original poster’s involvement in the thread is intriguing, as they are “helpful” to users who are asking inquiries or reporting an issue. This additional effort to appear legitimate is instrumental in persuading a greater number of individuals to obtain the hazardous files.
Warning Signs Point To Malicious Software
The infected files exhibit distinct warning signs that users should be aware of, according to Malwarebytes’ analysis. Legitimate software does not employ the distribution method of double-zipped files with password protection, which is the case with the malware.
Another significant red flag is that the scammers frequently request that users disable their security software in order to execute the program. The poster’s helpful comments obscure the disclaimer that users download at their own risk, despite the fact that the post acknowledges this.
Crypto Crime Becomes More Professional
Meanwhile, the attack’s trail leads to unexpected locations. Malwarebytes discovered that the malware was hosted on a website owned by a cleaning company in Dubai, while the command and control server was registered in Russia approximately one week ago.
Chainalysis’s 2025 Crypto Crime Report describes a broader pattern in which crypto crime has “entered a professionalized era dominated by AI-driven schemes, stablecoin laundering, and efficient cyber syndicates.” This scam is part of this pattern. The report disclosed that illicit cryptocurrency transactions reached over $50 billion in the previous year.
Featured image from Gemini Imagen, chart from TradingView
