Pennywise the YouTube Crypto Thief – Even Eviler Than You Thought

Updated by Levy Prata
In Brief
  • Security experts have warned of a new malware that could cost victims all their crypto holdings.
  • The malware lurks on YouTube and over two dozen crypto wallets are at risk.
  • Malware has continued to plague the crypto industry with billions of dollars lost to hackers in the first half of 2022.
  • promo

    Bnext Launches Its Utility Token on Read Now

YouTube users are being warned to be vigilant after a new variant of crypto-malware designed to steal data from 30 crypto wallets was identified.

Pennywise, named after the malevolent clown in Stephen King’s novel It, is designed to trick users into downloading malware, said cyber intelligence company Cyble.

The malware is masked as free Bitcoin mining software by hackers, said Cyble. Popular video-sharing site YouTube appears to be the primary means of spreading the malware as hackers have made over 70 videos with links in the description for victims to download the “mining software.”

After downloading the malware, victims are instructed to disable their anti-virus after being tricked by a virus-free file. The rest of the malware is downloaded into the victim’s device, and the use of an unknown encrypter makes debugging a herculean task.

Pennywise takes things up a notch by using multithreading to steal data at a faster pace.

The malware has the ability to take screenshots and access data from discussion platforms like Telegram and Discord. “Though the stealer is fresh, the Threat Actor (s) has already rolled an updated version, 1.3.4.,” said Cyble.

YouTube malware targets browsers and wallets

Pennywise casts a large shadow with several kinds of wallets coming under direct threat from the malware. 

The report noted that the malware currently targets over 30 kinds of Chrome-based browsers, five Mozilla-based browsers, and the Microsoft Edge browser. Cold wallets are also targeted by the malware.

Pennywise targets victims globally but excludes individuals from Russia, Belarus, Ukraine, and Kazakhstan. 

Cyble notes that the exclusion of these countries is probably “to avoid scrutiny by Law Enforcement Agencies.”

Individuals have been advised to avoid clicking on suspicious links on the internet, use a strong password and enable two-factor authentication (2FA) on accounts.

The rise of crypto malware

Crypto malware costs investors billions in losses. Colonial Pipeline fell victim in 2021 and the company had to pay $4.4 million as ransom to the attackers, widely considered to be DarkSide. 

Now law enforcement agencies have begun to fight back. Last week, a member of the NetWalker ransomware gang was arraigned and pleaded guilty to charges of money laundering in a U.S. court. 

NetWalker has racked up illicit proceeds of nearly $50 million since it started operations in 2020, with hospitals and schools being their primary targets.


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.