Kaspersky warns: Encrypted Trojan Stealka invades mainstream game mods, GTA5 and Roblox players are affected

Stealka’s fund-stealing attack targets game communities, browser wallets and cryptographic libraries, exposing information security gaps in the Web3 era
(Previous summary: Chainalysis report: North Korean hackers stole US$2 billion in crypto assets in 2025, with Bybit becoming the biggest victim)
(Background supplement: Security company: North Korean hackers have penetrated 15~20% Cryptocurrency companies)

Contents of this article

On the eve of the Christmas holiday, it should have been a relaxing time to download games with special offers and update modules, but it was overshadowed by an information-stealing software called Stealka. According to Kaspersky’s detection in November, attackers packaged malicious programs into modules and cheating tools for popular games Roblox and GTA V, and uploaded them to mainstream platforms such as GitHub, SourceForge, and Google Sites. The moment the victim clicks to download, it is equivalent to handing over the key to the safe at home.

Trusting the platform has become the biggest vulnerability

The most difficult thing to prevent in this wave of actions is that it uses the "legal cloak" to weaken vigilance. Stealka is distributed through common open source websites and can be obtained without delving into the dark web. Kaspersky researcher Artem Ushkov said:

"The attackers most likely used AI tools to generate fake websites with extremely professional looks. These websites look impeccable enough to remove the last remaining doubts of the most wary users."

For teenage gamers or users eager to find cracked versions of office software, clicking on the link is almost a reflex action. Because of this, attackers were able to infiltrate tens of thousands of home computers in a short period of time.

Browser database: a vault locked by hackers

Unlike traditional destructive viruses, Stealka pursues "silent and complete" data harvesting. According to Kaspersky research, it supports capturing autofill forms, passwords and cookies for more than 100 Chromium and Gecko based browsers. To make things even more tricky, Stealka can read data from 115 browser extensions, including MetaMask, Binance, Coinbase wallets, and password managers such as 1Password. At the same time, it will scan more than 80 desktop encryption wallet programs such as Exodus and MyCrypto to directly steal private keys and mnemonic phrases. Once hackers obtain these credentials, user assets may be emptied within minutes.

Global proliferation outpaces defense deployment

Stealka is not an isolated case, but a microcosm of the escalation of information theft threats in 2025. Statistics show that from January to October this year, malware targeting game modules was detected a total of 384,000 times. Although the earliest affected areas were concentrated in Russia, it has recently spread to Germany, Brazil, India, Türkiye and other places. The speed of cross-border transmission far exceeds the update frequency of most anti-virus solutions, creating a dilemma of "detecting lagging infections".

Zero trust becomes the last line of personal defense

The Stealka incident highlights the shift in responsibilities after the integration of Web3 and traditional finance: when users have asset sovereignty, they must also bear the risk of protecting private keys. Experts suggest that in addition to updating anti-virus software and browsers, the most critical thing is to develop a zero-trust download habit—even if the file comes from an official-looking open source platform, double-check the source and file hash value. For crypto wallet holders, moving large amounts of assets to cold wallets and avoiding installing wallet extensions in game browsers are pragmatic ways to reduce losses.

As the Trump administration has promoted friendly encryption policies since taking office, the market has become more popular, attracting more novices to participate, and also allowing hackers to see opportunities. Stealka reminds investors that the real risks are often hidden in the most everyday entertainment scenes. The next time you download a seemingly innocuous “free mod,” think about whether that file is worth risking your entire wallet on.