More than 10 million people worldwide may have fallen victim to the JSCEAL malware distribution campaign. The attackers created fake cryptocurrency wallet and exchange apps, wrote their own websites, and then massively advertised them online. There were over 35,000 such ads in the EU.
More than 10 million people worldwide may have fallen victim to the JSCEAL malware distribution campaign. The attackers created fake cryptocurrency wallet and exchange apps, wrote their own websites, and then massively advertised them online. There were over 35,000 such ads in the EU.
According to TechRadar, the attack has been ongoing since spring 2024. The group of hackers created a series of fake websites and mobile applications that pretended to be popular cryptocurrency services. They purchased thousands of ads on social media and ad networks to distribute them. According to Check Point, these ads reached at least 3.5 million people in the European Union alone, and the total number of potentially affected users worldwide exceeded 10 million.
The malware was delivered to victims' computers via MSI files disguised as cryptoservice installers. Once launched, a series of scripts were activated on the computer, analyzing system characteristics, running PowerShell commands, and collecting information about browsers, wallets, and the presence of security tools. This profile was transmitted to the attackers' servers. If the conditions were met (for example, the presence of a cryptowallet), the second stage was launched — downloading the main malicious module.
This module, known as JSCEAL, runs on Node.js and is designed to steal private keys, logins, passwords, and other sensitive cryptocurrency information. It uses a little-known feature of Google’s V8 engine — compiled JavaScript files with the *.jsc extension. This format allows you to encrypt and obfuscate code, making it invisible to static analyzers in most antivirus programs. In fact, the code can only be recognized during direct execution.
According to Check Point analysts, this technique allows attackers to bypass most protection systems. JSCEAL is striking not only in its stealth, but also in its scale: the campaign is actively developing, modifying and adapting to bypass even updated antiviruses.
In 2023–2025, crypto users have become one of the main targets of cybercriminal groups. Fraudsters are increasingly creating complete fake ecosystems: websites, branding, interfaces, mobile applications, advertising — everything looks authentic. At the same time, attack techniques are improving: from simple phishing to complex tools that are integrated at the system access level. JSCEAL is a vivid example of a new wave of attacks focused on scale, depth of penetration and almost complete invisibility for an ordinary user. Experts advise not to follow crypto service advertisements, check URLs, do not download installers from unverified sources and keep antivirus software up to date.
As a reminder, we also published an article about how, following the attempted kidnapping of relatives of a crypto CEO in France and the hacker attack on Coinbase that leaked personal data of customers, wealthy cryptocurrency owners around the world are increasing their personal security. The demand for personal security and special equipment is growing rapidly.
Comment hidden for violating commenting rules.