149M Stolen Credentials Expose 420K Binance Accounts in Malware Attack

The stolen dataset, compiled from information-stealing malware or “infostealers” installed on victim devices, represents a fundamental shift in attack methodology. According to the alert posted by Web3 Antivirus on February 4, these malware strains capture a comprehensive suite of sensitive data, including passwords, private keys, API keys, and browser session tokens for email, social, and financial platforms. This data provides cybercriminals with the keys for future account takeovers and fund theft, emphasizing that prevention now requires early detection at the device level.

Beyond traditional malware, the security firm detailed a separate, sophisticated threat vector: malicious AI skills on platforms like ClawHub. These fraudulent skills, posing as legitimate wallet tools or trading bots, are used to install information-stealing malware that can remain dormant. The malware activates only when a victim’s crypto balance grows or specific actions are taken, representing a supply-chain risk that moves upstream “from wallets to the tools people trust to manage them.” This patient, targeted approach allows thieves to maximize their haul from a single, long-term infection.

The gravity of losses from such attacks is staggering. A recent report from blockchain security firm PeckShield noted that scams and hacks drained over $4.04 billion in 2025, with scams alone jumping 64% year-over-year. The firm observed a strategic move by criminals toward targeting centralized exchanges and large organizations, which accounted for a dominant 75% of all stolen funds in 2025. This indicates a shift in focus toward high-value institutional targets where larger sums can be extracted in a single breach.

Meanwhile, Web3 Antivirus provided an even broader perspective, estimating the total volume of 2025’s illicit crypto activity at approximately $158 billion, a sharp increase from $64 billion in 2024. While the security provider partly attributed this rise to better tracking methodologies and more state-linked activity, the figures underscore a brutal reality: even small success rates for thieves can result in catastrophic losses at scale. The exposure of 420,000 Binance accounts within a 149-million-credential trove exemplifies how a single malware campaign can threaten a vast user base.

The recent data thefts highlight a persistent and dangerous gap between user awareness and platform-level protection. Web3 Antivirus argued that “scams don’t succeed because users ignore advice; they succeed because risk is only surfaced after execution is already possible.” The firm positioned platforms, which can monitor transaction approvals and user behavioral patterns in real-time, as sitting at “the last real control point” for preventing theft. This places significant responsibility on exchanges and wallet providers to implement more proactive security measures.

One of the most prevalent and worsening attack vectors is the wallet drainer. Web3 Antivirus reported that in January alone, 15,530 suspicious transaction approvals across 11,908 wallets led to $4.25 million in losses. These drainers typically infiltrate through malicious transaction approvals, making pre-signature detection—identifying and blocking harmful transactions before a user signs them—an extremely important line of defense. The combination of stealthy infostealers, patient malware, and instant wallet drainers creates a multi-layered threat environment that challenges both individual vigilance and existing security infrastructures.