Torg Grabber: The 728-Wallet Infostealer Rewriting the Rules of Crypto Endpoint Security
A new infostealer targets every major crypto wallet extension — MetaMask, Phantom, Coinbase, Solflare, Rabby, and 722 more — with memory-only execution, ABE bypass, and ChaCha20-encrypted exfiltration. Here's what DeFi developers and users need to know.
Why Another Infostealer Matters for DeFi
Browser extension wallets are the primary interface for DeFi. MetaMask alone handles over \$200 billion in monthly transaction volume. Phantom dominates Solana. Rabby and Coinbase Wallet serve as the on-ramps for Base and the broader EVM ecosystem.
Torg Grabber, disclosed this week by Gen Digital's threat research team, doesn't target some of these wallets. It targets 728 of them — essentially every crypto wallet extension ever published to the Chrome Web Store. Combined with 103 password manager extensions and 2FA tools, this malware represents the most comprehensive credential-harvesting operation ever documented against the crypto ecosystem.
The DeFi-specific implications go far beyond stolen seed phrases. If your development machine runs browser-based wallet extensions, your deployer keys, multisig signer sessions, and RPC endpoint credentials are all in scope.
The Attack Chain: ClickFix to Credential Theft in Under 60 Seconds
Torg Grabber's infection vector uses the ClickFix technique — a social engineering pattern where attackers hijack the clipboard and trick users into pasting a malicious PowerShell command into their terminal. The full chain:
\`plaintext
- User visits compromised site or receives phishing link
- Site displays fake CAPTCHA / "verify you're human" prompt
- Clipboard is silently replaced with PowerShell one-liner
- User pastes into Run dialog or terminal (Ctrl+V → Enter)
- PowerShell downloads dropper → C:\Windows\{random}.exe
- Three-stage loader chain executes entirely in memory
- Torg Grabber harvests all crypto wallet data
- Encrypted exfiltration to C2 via HTTPS/Cloudflare
`
\
The entire process from infection to exfiltration takes under 60 seconds. The malware never writes its payload to disk — it runs entirely in memory via reflective PE loading, making traditional antivirus file scanning ineffective.
Why the ClickFix Vector Is Particularly Dangerous for Crypto Users
DeFi developers and power users are conditioned to run terminal commands. Copy-pasting installation commands, running forge\ scripts, executing solana-keygen\ — it's muscle memory. The ClickFix technique exploits this conditioning by replacing the clipboard with a command that looks like a legitimate verification step but downloads and executes the dropper.
The Three-Stage Memory-Only Loader
Torg Grabber's sophistication is in its loader chain. Three stages, zero disk writes:
Stage 1: Self-Extracting Loader
The dropper spawns a MinGW PE64 with an encrypted overlay. Configuration is passed via environment variables (GRABBER_HOST\, GRABBER_TAG\, GRABBER_KEY\) — this is a Malware-as-a-Service (MaaS) operation with 40+ documented operators.
\plaintext
Operator config → Environment variables → Loader → Stealer
(GRABBER_HOST=...)
(GRABBER_TAG=operator_id)
(GRABBER_KEY=exfil_key)
\\
Stage 2: Reflective PE Loader with Anti-Analysis
The shellcode from Stage 1 carries the final payload as an AES-256-CBC encrypted blob. After decryption, four cascaded byte transforms (additive shift, XOR, bit rotation, modular multiply) further obfuscate the payload. The loader:
- Resolves APIs by walking the PEB (no imports visible to static analysis)
- Maps the PE manually via
VirtualAlloc\+ section copying - Uses 20 direct NT syscall wrappers with PRNG-obfuscated tables
- Inserts NOP-equivalent functions between stages to confuse decompilers
Stage 3: The Grabber
683 KB, 737 functions, 15 categories. The actual credential harvester.
What Torg Grabber Steals: The Crypto Kill List
728 Crypto Wallet Extensions
Every major wallet is targeted:
EVM Wallets:
- MetaMask, Coinbase Wallet, Rabby, Rainbow, Frame
- Trust Wallet, Brave Wallet, Zerion, Enkrypt
- All major hardware wallet browser companions (Ledger Live Extension, Trezor Suite)
Solana Wallets:
- Phantom, Solflare, Backpack, Glow, Nightly
Multi-Chain:
- Keplr (Cosmos), TronLink, OKX Wallet, Sui Wallet
- Plus 710+ additional wallet extensions including long-tail projects
What Gets Extracted
For each wallet extension, Torg Grabber extracts:
\plaintext
✓ Encrypted vault data (seed phrases, private keys)
✓ Session tokens and authentication state
✓ Transaction history and address book
✓ Connected dApp permissions
✓ Network configurations (custom RPC endpoints with auth tokens)
\\
Beyond Wallets: The Full Harvest
\plaintext
✓ 25 Chromium browsers + 8 Firefox variants (credentials, cookies, autofill)
✓ 103 password manager extensions (LastPass, 1Password, Bitwarden, etc.)
✓ 2FA/TOTP authenticator extensions
✓ Discord tokens (server access, DM history)
✓ Telegram sessions
✓ SSH keys and Git credentials
✓ VPN configurations
✓ Desktop and Documents folder files
✓ System fingerprint (GPU, hardware ID, installed AV)
\\
Chrome App-Bound Encryption Bypass
Since December 2025, Torg Grabber includes a dedicated App-Bound Encryption (ABE) bypass — Chrome's defense against cookie theft. The bypass uses reflective DLL injection into the browser process to access Chrome's COM Elevation Service and extract the master encryption key.
This defeats Chrome 127+'s cookie protection across seven Chromium-based browsers: Chrome, Brave, Edge, Vivaldi, Opera, and two others.
DeFi-Specific Attack Scenarios
Scenario 1: Developer Machine Compromise
A DeFi developer's browser typically contains:
\plaintext
MetaMask → deployer wallet with upgrade authority
Rabby → personal DeFi positions
1Password → SSH keys, GitHub PAT, RPC endpoint credentials
Chrome cookies → GitHub session, Vercel, AWS Console
Git credentials → push access to protocol repos
\\
One ClickFix infection harvests the deployer private key, GitHub access, and CI/CD credentials simultaneously. The attacker can:
- Drain the deployer wallet
- Push malicious code to the protocol's repository
- Access production infrastructure via stolen cloud sessions
Scenario 2: Multisig Signer Compromise
Safe (formerly Gnosis Safe) and Squads Protocol multisigs require M-of-N signers. If Torg Grabber compromises enough signer machines to meet the threshold, the multisig becomes a single point of failure.
With 40+ documented operators and weekly C2 rotation, this is a distributed campaign — multiple operators may independently target different members of the same team without coordination.
Scenario 3: RPC Credential Theft
Custom RPC endpoints stored in wallet extensions often contain authenticated URLs:
\plaintext
https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY
https://mainnet.helius-rpc.com/?api-key=YOUR_KEY
https://rpc.quicknode.com/YOUR_ENDPOINT
\\
Stolen RPC credentials enable:
- Transaction monitoring and frontrunning
- Mempool observation for MEV extraction
- Infrastructure reconnaissance for targeted attacks
Detection: Are You Compromised?
Immediate Endpoint Checks (Windows)
\`powershell
Check for Torg Grabber dropper artifacts
Get-ChildItem C:\Windows\*.exe | Where-Object {
\$.Name -match '^[a-z0-9]{5,8}\.exe\$' -and
\$.CreationTime -gt (Get-Date).AddDays(-30)
} | Select-Object Name, CreationTime, Length
Check for suspicious environment variables
Get-ChildItem Env: | Where-Object {
\$_.Name -match 'GRABBER|TORG'
}
`\
macOS / Linux Checks
\`bash
Check for suspicious PowerShell history (ClickFix remnants)
cat ~/.local/share/powershell/PSReadLine/ConsoleHost_history.txt 2>/dev/null | \
grep -iE "downloadstring|invoke-expression|iex|webclient"
Check outbound connections to known Torg C2 patterns
sudo lsof -i -nP | grep -iE "technologytorg|tara\.net\.bd"
`\
Network-Level Detection
\`python
TORG_INDICATORS = {
"domains": [
"technologytorg.com",
"*.tara.net.bd",
],
"http_patterns": [
{"method": "POST", "path": "/api/auth", "header": "X-Auth-Token"},
{"method": "POST", "path": "/api/upload/chunk", "header": "X-Auth-Token"},
],
}
def check_network_log(log_entry):
for domain in TORG_INDICATORS["domains"]:
if domain.replace("*.", "") in log_entry.get("dst_host", ""):
return "HIGH", f"Known Torg C2 domain: {domain}"
for pattern in TORG_INDICATORS["http_patterns"]:
if (log_entry.get("method") == pattern["method"] and
pattern["path"] in log_entry.get("uri", "")):
return "MEDIUM", f"Torg C2 pattern: {pattern['path']}"
return "CLEAN", None
`\
Defense Playbook for DeFi Teams
Layer 1: Eliminate Browser Wallet Keys on Development Machines
\`plaintext
❌ MetaMask with deployer key on dev laptop
❌ Private keys in browser wallet for testing
❌ Production RPC endpoints stored in browser wallet
✅ Hardware wallets (Ledger/Trezor) for all signing
✅ Separate browser profiles: dev (no real keys) vs signing (airgapped)
✅ Dedicated signing device that never browses the web
✅ RPC endpoints accessed only via server-side environment variables
`\
Layer 2: Smart Contract Rate Limiting Against Stolen Keys
\`solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
contract InfostealerDefenseVault {
mapping(address => uint256) public lastWithdrawal;
mapping(address => uint256) public dailyWithdrawn;
uint256 public constant WITHDRAWAL_COOLDOWN = 1 hours;
uint256 public constant DEFAULT_DAILY_LIMIT = 10 ether;
uint256 public constant LARGE_WITHDRAWAL_DELAY = 24 hours;
struct PendingWithdrawal {
uint256 amount;
uint256 executeAfter;
bool executed;
bool cancelled;
}
mapping(address => PendingWithdrawal[]) public pending;
event WithdrawalRequested(address indexed user, uint256 amount, uint256 executeAfter);
event WithdrawalCancelled(address indexed user, uint256 index);
function withdraw(uint256 amount) external {
require(
block.timestamp >= lastWithdrawal[msg.sender] + WITHDRAWAL_COOLDOWN,
"Cooldown active"
);
if (block.timestamp / 1 days > lastWithdrawal[msg.sender] / 1 days) {
dailyWithdrawn[msg.sender] = 0;
}
if (dailyWithdrawn[msg.sender] + amount > DEFAULT_DAILY_LIMIT) {
pending[msg.sender].push(PendingWithdrawal({
amount: amount,
executeAfter: block.timestamp + LARGE_WITHDRAWAL_DELAY,
executed: false,
cancelled: false
}));
emit WithdrawalRequested(msg.sender, amount, block.timestamp + LARGE_WITHDRAWAL_DELAY);
return;
}
dailyWithdrawn[msg.sender] += amount;
lastWithdrawal[msg.sender] = block.timestamp;
}
function cancelPending(uint256 index) external {
PendingWithdrawal storage p = pending[msg.sender][index];
require(!p.executed && !p.cancelled, "Already finalized");
p.cancelled = true;
emit WithdrawalCancelled(msg.sender, index);
}
}
`\
Layer 3: Solana Program Guards
\`rust
use anchor_lang::prelude::*;
[program]
pub mod infostealer_defense {
use super::*;
pub fn request_withdrawal(ctx: Context<RequestWithdrawal>, amount: u64) -> Result<()> {
let vault = &mut ctx.accounts.vault;
let clock = Clock::get()?;
if clock.unix_timestamp / 86400 > vault.last_withdrawal_day {
vault.daily_withdrawn = 0;
vault.last_withdrawal_day = clock.unix_timestamp / 86400;
}
if vault.daily_withdrawn + amount > vault.daily_limit {
let pending = &mut ctx.accounts.pending_withdrawal;
pending.amount = amount;
pending.execute_after = clock.unix_timestamp + 86400;
pending.cancelled = false;
pending.executed = false;
msg!("Large withdrawal queued with 24h delay");
return Ok(());
}
vault.daily_withdrawn += amount;
Ok(())
}
pub fn cancel_withdrawal(ctx: Context<CancelWithdrawal>) -> Result<()> {
let pending = &mut ctx.accounts.pending_withdrawal;
require!(!pending.executed, ErrorCode::AlreadyExecuted);
pending.cancelled = true;
msg!("Withdrawal cancelled");
Ok(())
}
}
`\
The 10-Point Endpoint Security Checklist for Crypto Teams
Device Hygiene
- [ ] No production keys on browsing machines — signing on dedicated devices
- [ ] Separate browser profiles — dev (no real keys) vs personal
- [ ] Clipboard monitoring — use a manager that logs changes
- [ ] PowerShell execution policy — AllSigned on Windows
Wallet Architecture
- [ ] Hardware wallets for all high-value operations
- [ ] Daily withdrawal limits on-chain — rate limiting as backstop
- [ ] Multisig with device diversity — different OS/hardware per signer
- [ ] No RPC credentials in browser wallets
Monitoring
- [ ] Extension integrity monitoring — hash-based verification
- [ ] Network egress monitoring — flag connections to new domains
The Uncomfortable Truth About Browser-Based Crypto
Torg Grabber didn't invent a new attack class. It industrialized an existing one. The crypto industry has spent billions on smart contract audits, formal verification, and on-chain monitoring — while the primary user interface remains a JavaScript extension running in a web browser, protected by nothing more than a password or biometric that an infostealer can bypass entirely.
The 728 wallets in Torg Grabber's target list aren't just a number. They're a map of the entire ecosystem's attack surface. Every wallet that stores keys in browser-accessible storage is a target. Every developer who signs transactions from their daily-driver laptop is a liability.
Your smart contract is only as secure as the device that holds the signing key. And right now, that device is running a web browser.
This is part of the DeFi Security Research series. Follow for weekly deep dives into vulnerabilities, audit techniques, and security best practices across EVM and Solana ecosystems.
Top comments (0)