A new strain of malware disguised as a cracked version of TradingView Premium is circulating on Reddit, targeting cryptocurrency traders and stealing personal data and digital assets. Cybersecurity firm Malwarebytes identified the scam, warning that malicious actors are using the promise of free trading software to deploy Lumma Stealer and Atomic Stealer, two notorious malware programs.
The scheme involves fraudsters posting links to Windows and Mac installers for “TradingView Premium Cracked” on cryptocurrency-related subreddits. Victims who download and install the software unknowingly expose themselves to malware designed to drain their crypto wallets.
Jerome Segura, a senior security researcher at Malwarebytes, reported in a March 18 blog post that some victims not only lost their assets but were also impersonated by the attackers to spread phishing links.
The attackers claim the software is fully unlocked and provides premium features at no cost. In reality, it is embedded with Lumma Stealer and Atomic Stealer.
Lumma Stealer, which has been active since 2022, specifically targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions. Atomic Stealer, first detected in April 2023, is known for extracting sensitive data, including administrator credentials and keychain passwords.
Malwarebytes found that beyond TradingView Premium Cracked, other fraudulent trading programs are being offered through similar deceptive tactics. The scammers do not simply post links and leave; they actively engage with users in the comments, assisting with downloads and troubleshooting installation issues.
“What’s interesting with this particular scheme is how involved the original poster is, going through the thread and being ‘helpful’ to users asking questions or reporting an issue,” Segura said.
Malware Hosted on Dubious Platforms
The origin of the malware remains uncertain, but Malwarebytes traced the hosting server to a Dubai-based cleaning company’s website. The command-and-control server was registered in Russia just a week before the malware’s discovery. The software is distributed in a manner that raises multiple red flags.
Both Mac and Windows versions are double-zipped, with the final archive requiring a password to extract. Legitimate software does not require such obfuscation.
On Mac, the installer is a modified variant of AMOS, a macOS stealer that checks for virtual machines before execution. If it detects emulation environments like QEMU or VMware, it exits with an error code to avoid analysis.
On Windows, the payload is executed through an obfuscated batch file, which then launches a malicious AutoIt script. The control server, cousidporke[.]icu, was registered under a Russian domain, indicating possible geographic ties to the threat actors.
Crypto Scams Becoming More Sophisticated
Chainalysis, a blockchain analytics firm, reported in its 2025 Crypto Crime Report that illicit crypto transactions reached $51 billion in the past year. Cybercriminals are leveraging increasingly advanced methods, including AI-driven scams and stablecoin laundering. The professionalization of crypto-related cybercrime makes it harder for users to distinguish legitimate offers from sophisticated fraud schemes.
Malwarebytes emphasized that cracked software has been a common vector for malware distribution for decades. “The lure of a free lunch is still very appealing,” Segura noted. The firm advised crypto traders to remain vigilant, avoid disabling security software, and be cautious of password-protected downloads or software hosted on obscure platforms.
As cryptocurrency scams evolve, traders must exercise greater caution to avoid falling victim to malware designed t
