New Storm Infostealer Emerges as a Stealthy Threat to Browser and Crypto Security Security researchers at Varonis have identified Storm, a sophisticated infostealer malware that harvests browser credentials, session cookies, and cryptocurrency wallets before exfiltrating encrypted data to attacker-controlled servers. First observed on underground cybercrime forums in early 2026, Storm represents an evolution in credential theft tactics, bypassing traditional detection methods. Unlike earlier infostealers that decrypted data locally making them vulnerable to endpoint security tools Storm avoids detection by transmitting encrypted files to remote infrastructure for decryption. This approach circumvents protections like Google’s App-Bound Encryption (introduced in Chrome 127 in July 2024), which previously forced attackers to rely on detectable methods such as Chrome injection or debugging protocol abuse. Storm targets both Chromium-based (Chrome, Edge) and Gecko-based browsers (Firefox, Waterfox, Pale Moon), extracting saved passwords, session cookies, autofill data, Google account tokens, credit card details, and browsing history. It also captures system information, screenshots, and session data from messaging apps like Telegram, Signal, and Discord, while targeting crypto wallets via browser extensions and desktop applications. All operations run in memory to minimize forensic traces. A key feature of Storm is its automation: rather than requiring manual replay of stolen logs, it uses Google Refresh Tokens and geographically matched SOCKS5 proxies to silently restore authenticated sessions, granting attackers access to SaaS platforms, internal tools, and cloud environments without triggering password-based alerts. Available for under $1,000 per month, Storm has already compromised victims across multiple countries, including Brazil, Ecuador, India, Indonesia, the U.S., and Vietnam. Varonis identified 1,715 entries in attacker panels, though some may include test data. The stolen credentials span high-value platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, and Crypto.com data commonly sold on credential marketplaces for account takeovers, fraud, and further cyber intrusions.

Crypto.com suffered a data breach executed by the Scattered Spider hacking group, led by teenage cybercriminals including Noah Urban (18, Florida), who specialized in SIM-swapping and social engineering. The attack exposed personal information of users, though the company claimed only a 'very small number of individuals' were affected and no customer funds were stolen. However, Crypto.com never publicly disclosed the breach to impacted users, raising transparency concerns. The incident was uncovered by a Bloomberg investigation and blockchain investigator ZachXBT, who accused the company of a cover-up. Despite the breach, Crypto.com reported $1.5B in revenue and $1B in gross profit (2023), with CEO Kris Marszalek pushing for an IPO and partnerships (e.g., Trump Media). The attackers, originating from Minecraft gaming communities, exploited telecom employee deception to hijack phone numbers, escalating into high-profile cybercrime targeting MGM Resorts and other corporations.