Cybersecurity Firm Warns of Crypto-Stealing Trojans in “Cracked” Trading Software

TLDR

• Cybersecurity firm Malwarebytes has identified malware hidden in “cracked” versions of TradingView Premium being shared on crypto subreddits
• The malware includes Lumma Stealer and Atomic Stealer (AMOS), which target crypto wallets and can steal personal data
• Victims have had their crypto wallets emptied and their accounts used to send phishing links to contacts
• The scammers remain active in Reddit threads, “helping” users download the infected software
• Both Windows and Mac users are targeted with platform-specific malware variants

Crypto traders looking for free versions of premium trading tools are falling victim to a sophisticated malware scheme that empties digital wallets and steals personal information, according to a recent warning from cybersecurity firm Malwarebytes.

The scam revolves around “cracked” versions of TradingView Premium, popular charting software used by many crypto traders. These fake versions are being shared through posts on Reddit cryptocurrency communities.

The fraudulent software contains dangerous malware designed to target cryptocurrency holdings. Windows users are infected with Lumma Stealer, while Mac users receive the AMOS malware variant.

Jerome Segura, a senior security researcher at Malwarebytes, detailed the threat in a March 18 blog post. He explained that victims have had their crypto wallets completely emptied.

In many cases, the thieves then use the compromised accounts to impersonate victims. They send phishing links to the victim’s contacts to spread the attack further.

The scammers advertise their posts as providing free access to premium features. They claim the software has been “cracked” from the official version, making paid features available at no cost.

This promise of getting expensive software for free serves as the bait. However, the download links redirect users to unrelated websites rather than TradingView’s official site.

How the Scammers Maintain Credibility

What makes this scheme particularly convincing is the level of involvement from the scammers. They remain active in the Reddit threads where they post the malicious links.

The fraudsters respond to user questions and help troubleshoot any issues with downloading the infected software. This hands-on approach helps build trust with potential victims.

The malware is distributed in a suspicious manner that should raise red flags. Segura noted that “files are double zipped, with the final zip being password protected.”

He added that “a legitimate executable would not need to be distributed in such fashion.” This unusual packaging method is a common indicator of malicious software.

Lumma Stealer has been targeting crypto users since 2022. It focuses on stealing information from cryptocurrency wallets and browser extensions used for two-factor authentication.

Atomic Stealer (AMOS), first discovered in April 2023, has the ability to capture sensitive data. This includes administrator passwords and information stored in the Mac keychain system.

Malwarebytes researchers traced the hosting website to a Dubai cleaning company. The command and control server for the malware was registered by someone in Russia about a week before the report.

The scam takes advantage of the “lure of a free lunch,” as Segura put it. The promise of premium software at no cost remains tempting even though cracked software has been a known malware vector for decades.

Blockchain analytics firm Chainalysis has noted this type of attack fits into broader trends. Their 2025 Crypto Crime Report described a “professionalized era” of crypto crime featuring AI-driven scams and efficient cyber syndicates.

Chainalysis estimates that illicit transaction volume in the crypto space reached $51 billion in the past year. This TradingView scam represents just one of many schemes targeting crypto holders.

Users should be wary of common red flags when downloading software. These include instructions to disable security software and password-protected files from unofficial sources.