SlowMist Chief Information Security Officer 23pds reports the AMOS Trojan variant 'Odyssey' is stealing cryptocurrency wallet information via fake AI tool advertisements, highlighting significant security risks.

Executive Summary

On September 18, SlowMist Chief Information Security Officer 23pds revealed that Odyssey, a variant of the AMOS information-stealing Trojan, is actively targeting cryptocurrency users. This malware propagates through fake artificial intelligence (AI) tool advertisements on platforms such as Twitter, tricking individuals into downloading malicious software disguised as legitimate AI client applications. Once installed, Odyssey is designed to exfiltrate sensitive data, including cryptocurrency wallet information, system details, and browser data.

The Event in Detail

Odyssey is a sophisticated malware utilizing AppleScript as its primary payload to execute data theft. The attack vector relies on social engineering, leveraging the popularity of AI tools to distribute malware. Users encountering these fraudulent advertisements are prompted to download what appears to be legitimate AI client software. However, the downloaded application is malicious, designed specifically to steal sensitive information. This includes private keys and seed phrases from browser-based cryptocurrency wallets like MetaMask, Trust Wallet, Phantom, Exodus, Coinbase Wallet, and Ledger Live, as well as general system and browser data. Previous iterations of the AMOS malware, including those impersonating Ledger apps, have demonstrated the ability to bypass security measures like Apple's Gatekeeper by using deceptive files and phishing interfaces to steal 24-word seed phrases.

Market Implications

The emergence of the Odyssey variant underscores a critical and evolving threat landscape within the cryptocurrency sector. This type of direct wallet compromise contributes significantly to the escalating financial losses reported across the digital asset ecosystem. Data from CertiK indicates that approximately $2.47 billion in cryptocurrency was stolen in the first half of 2025, surpassing the total losses for all of 2024. Wallet compromise was identified as the costliest attack vector, accounting for $1.7 billion across 34 incidents in H1 2025, largely driven by a few high-impact events. The continued proliferation of sophisticated Trojans like Odyssey, which specifically target wallet credentials, directly exacerbates this trend, eroding user trust and posing systemic risks to individual asset security.

Expert Commentary

SlowMist CISO 23pds explicitly warned users to remain vigilant against these threats. Security specialists advise extreme caution, urging individuals to avoid downloading any AI tools or cryptocurrency-related software from unofficial channels. Regular security checks on devices are recommended. The broader expert consensus, as highlighted by SlowMist CISO Shan Zhang regarding other malware like ModStealer, emphasizes the severe threat posed by cross-platform and stealthy data stealers to the digital-asset ecosystem. General security recommendations include downloading wallet extensions exclusively from official stores, verifying software publishers before installation, and enabling multi-factor authentication (MFA) wherever possible.

Broader Context and Business Strategy

The attack methodology employed by the Odyssey variant reflects an attacker strategy that capitalizes on popular technological trends, such as AI, to create believable decoys. This approach mirrors other evolving cybercrime tactics, including those used by groups like GreedyBear, which leverages AI-generated code and "extension hollowing" techniques—where legitimate extensions are later updated with malicious code—to target high-traffic wallets. The financial mechanics of these attacks involve the direct exfiltration of sensitive wallet data, such as seed phrases and private keys, which directly enable attackers to drain compromised cryptocurrency holdings. This ongoing threat highlights the critical need for robust, multi-layered security practices across the Web3 ecosystem, encompassing not only individual user vigilance but also continuous code audits, real-time monitoring, and proactive incident response by platforms and developers. The high figures of stolen assets due to wallet compromises demonstrate that attackers are increasingly focusing on the weakest link: the user's endpoint and their handling of sensitive credentials.