Bitcoin wallets drained as infostealer malware targets Call of Duty players

Share this article

A group of unidentified cybercriminals has released an information stealer malware targeting gamers who cheat in Call of Duty, resulting in the theft of bitcoin (BTC) holdings from affected players.

The malware has already compromised hundreds of thousands of accounts, with the numbers continuing to grow.

According to vx-underground, an information security and malware market resource, the malware has impacted at least 561,000 Activision accounts, over 3.6 million Battlenet accounts, as well as over 117,000 accounts from Elite PVPers.

“Impacted users have begun reporting being victims of crypto-draining — their Electrum BTC wallets have been drained. We do not have any information on the amount of money stolen,” vx-underground said in a disclosure published on X.

Over the past couple of days we have become aware of malware targeting gamers! More specifically, a currently unidentified Threat Actor is utilizing an infostealer to target individuals who cheat (Pay-to-Cheat) in video games.

A Call of Duty cheat provider (PhantomOverlay) was…

— vx-underground (@vxunderground) March 27, 2024

Activision Blizzard, the American video game holding company behind the Call of Duty series, has confirmed the existence of the malware and said that they are working with PhantomOverlay, one of the providers of cheat engines and codes for the video game series. Activision Blizzard became a subsidiary of Microsoft after a $68.7 billion acquisition in 2022. 

This is not the first time that game cheaters have been targeted by exploiters. In 2018, a supposed cheat for the popular video game Fortnite turned out to be malware designed to steal Bitcoin wallet login details. Fortnite players were again targeted in 2019, with hackers blocking access to users’ entire device data.

“There is not enough data yet on how [the malware] is spreading, [it] could be only affecting folks who have third-party tools installed,” a source familiar with the matter said.

PhantomOverlay first noticed the suspicious activity when users reported unauthorized purchases. Other cheat providers, such as Elite PVPers, have also confirmed similar attacks on vx-underground in the past week.

However, while the current estimated number of compromised accounts is substantial, PhantomOverlay claimed in a Telegram broadcast message on Wednesday that the figures “are inflated” dismissing database logins as “invalid garbage.”

In a separate statement, PhantomOverlay also claimed that they had some idea who the threat actors behind the malware distribution scheme are.

“[…] the malware gang is aware of suspicions on them [and have] made it increasingly hard to prove anything,” PhantomOverlay said.

To date, the total amount of crypto stolen remains unknown.

Share this article