A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets. Of the 850 browser extensions it targets, 728 are for cryptocurrency wallets, covering essentially every crypto wallet ever conceived by human optimism. Apart from cryptocurrency wallets, Torg Grabber steals data from 103 password managers and two-factor authentication tools, and 19 note-taking apps. The marquee names are all there – MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, Solflare, the researchers say.
But the list doesn’t stop at the big names. It keeps going, deep into the long tail, past projects with install counts you could fit in a phone booth. Torg Grabber also targets information from Discord, Telegram, Steam, VPN apps, FTP apps, email clients, password managers, and desktop cryptocurrency wallet apps.
A new info-stealing malware named Torg Grabber is siphoning data from 850 browser extensions, including more than 700 focused on cryptocurrency wallets. The campaign demonstrates the breadth of targets and the scale of risk facing users who rely on browser-based crypto tools. Of the 850 extensions targeted, 728 are wallet-related, covering essentially every crypto wallet in circulation.
Beyond wallets, Torg Grabber also harvests information from 103 password managers, two-factor authentication tools, and 19 note-taking apps, expanding the attack surface well beyond just wallet ecosystems. Marquee wallet names appear in the list—MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, Solflare—alongside numerous smaller projects. Researchers note the threat extends deep into the long tail, targeting apps and services used by crypto enthusiasts and developers alike.
Leave a Reply