New ‘Torg Grabber’ Malware Targets 728 Crypto Wallets

Crypto holders beware: Torg Grabber malware is actively stealing from 728 wallets

Crypto investors running browser-based wallets are facing a new, highly sophisticated threat. Torg Grabber, a newly discovered infostealer malware, is actively targeting 728 crypto wallet extensions across 850 browser add-ons—and it’s already in the wild.

This isn’t a proof-of-concept or a limited test run. It’s a full-blown Malware-as-a-Service (MaaS) operation, complete with professional infrastructure, multiple identified operators, and a global deployment footprint. The malware steals seed phrases, private keys, and session tokens through encrypted channels before most endpoint tools even register a detection event.

Who’s at risk?

The primary exposure surface is self-custody users running browser-based wallets like MetaMask, Phantom, and similar hot wallets. If you store your crypto credentials in a browser extension, you’re in the crosshairs.

The attack mechanism is chillingly effective

Torg Grabber starts with a dropper disguised as a legitimate Chrome update file (GAPI_Update.exe, 60 MB). It’s distributed via Dropbox and uses a fake 420-second Windows Security Update progress bar to create a plausible installation window while the real payload deploys.

Once active, the malware scans for 25 Chromium browsers, 8 Firefox variants, Discord, Steam, Telegram, VPN clients, FTP clients, email clients, password managers—and of course, crypto wallets. Data is exfiltrated through Cloudflare endpoints using ChaCha20 encryption with HMAC-SHA256 authentication, making it nearly impossible to intercept or block without specialized tools.

The numbers tell the story

728 wallet extensions targeted isn’t random—it’s a deliberate sweep of every major browser-based wallet with measurable installation volume. MetaMask alone has over 30 million monthly active users. This malware doesn’t need to find specific victims; it harvests whatever wallet credentials are present on any infected machine.

The MaaS model means multiple operators can deploy custom configurations, and Gen Digital researchers have already identified over 40 operator tags linking the operation to the Russian cybercrime ecosystem.

What this means for your crypto security

If you’re storing seed phrases in browser storage, text files, or password managers, a single Torg Grabber infection could compromise your entire wallet. Exchange-held assets aren’t directly exposed to this attack vector, but session token theft could expose connected exchange accounts if you’re logged in through your browser.

The threat is active, evolving, and professional-grade. This isn’t some amateur operation—it’s a production-ready credential stealer with structured infrastructure that’s already being used in the wild.

Your best defense right now is awareness and immediate action to secure your browser-based crypto activities.

Tags: Torg Grabber, crypto malware, infostealer, wallet security, MetaMask hack, Phantom wallet, crypto theft, browser extension malware, MaaS operation, seed phrase stealer, ChaCha20 encryption, Cloudflare exfiltration, Russian cybercrime, active malware campaign, crypto wallet compromise

Viral phrases: “Crypto holders beware,” “actively stealing from 728 wallets,” “Malware-as-a-Service operation,” “professional infrastructure,” “already in the wild,” “chillingly effective,” “production-ready credential stealer,” “structured infrastructure,” “active, evolving, and professional-grade,” “immediate action required”,