New JSCEAL Attack Aims to Steal Credentials and Wallets from Crypto App Users

Check Point Research (CPR) has identified a sophisticated malware campaign dubbed JSCEAL, which targets users of cryptocurrency trading applications through malicious advertisements and compiled JavaScript payloads.

Active since at least March 2024, the operation has evolved to incorporate advanced anti-analysis techniques, including modular infection flows and the use of Node.js to execute compiled V8 JavaScript (JSC) files.

This campaign impersonates nearly 50 popular crypto apps, leveraging paid malvertising on social media platforms to distribute fake installers.

In the first half of 2025, threat actors deployed approximately 35,000 malicious ads, garnering millions of views in the European Union alone, with potential global reach exceeding 10 million users based on social media demographics.

Campaign Discovery

The JSCEAL malware focuses on exfiltrating cryptocurrency-related data, such as credentials, wallets, browser cookies, autocomplete passwords, and Telegram accounts.

It employs techniques like keylogging, screenshot capture, Man-in-the-Browser (MitB) attacks, and Man-in-the-Middle (MitM) interception via local ...