Key Takeaways

  • SpyAgent malware is a new form of malicious software that uses optical character recognition (OCR) to extract sensitive data, particularly crypto wallet recovery keys, from images stored on computers and mobile phones.
  • SpyAgent operates silently, bypassing traditional malware detection methods and poses a serious threat to crypto holders.
  • By scanning screenshots or photos with OCR, SpyAgent can steal recovery keys, granting attackers full access to the victim’s cryptocurrency.
  • It mainly targets South Korean users, has been detected in over 280 fraudulent apps by McAfee cybersecurity specialists, and is seen to have moved to the United Kingdom.

What if your crypto wallet recovery key — the most important safeguard for your digital assets — could be stolen just by taking a screenshot? Sounds alarming, right? This is exactly what SpyAgent malware does, using optical character recognition (OCR) to turn seemingly harmless images into a goldmine for hackers. 

With this cutting-edge malware technique, SpyAgent is now one of the most dangerous threats to cryptocurrency holders. Are your crypto wallets safe from this highly sensitive malware?

Let’s dive into understanding how SpyAgent malware operates and learning how to protect your wallet from such threats. 

What is SpyAgent malware?

SpyAgent malware is not your run-of-the-mill malicious software. SpyAgent malware is a sophisticated and highly targeted form of malicious software designed to steal cryptocurrency. Unlike traditional malware that depends on methods like keystroke logging or phishing, SpyAgent sets itself apart by utilizing optical character recognition (OCR) technology to capture sensitive information from unsuspecting users.

Now, you might be wondering, What exactly is OCR? Good question! 

OCR is typically used in legitimate software to convert images or scanned documents into machine-readable text. However, SpyAgent exploits this technology to scan screenshots, images or documents stored on your device in a bid to look for crypto wallet recovery phrases or private keys. These recovery phrase keys are the golden ticket to accessing your crypto wallets, making them prime targets for hackers.

Once SpyAgent malware detects and extracts the text, it can quickly relay your wallet recovery keys to the attackers, effectively granting them full control over your cryptocurrency. What makes SpyAgent particularly dangerous is its ability to bypass conventional malware defenses, which are often focused on blocking phishing attempts or monitoring keystrokes. By going after images instead of input text, SpyAgent finds an alarming vulnerability in the way users store their wallet recovery information.

How does SpyAgent malware work?

SpyAgent malware uses clever and deceptive methods to steal cryptocurrency wallet recovery phrases. A crypto recovery phrase, also known as a seed phrase or backup phrase, is a series of randomly generated words (typically 12, 18 or 24 words) that act as a master key to access a cryptocurrency wallet. 

This phrase is generated when you first create a wallet and is used to recover the wallet and funds if you lose access to your device or private keys.

As crypto seed phrases are hard to remember, people tend to save or print them, and sometimes to make it easier, some people take a screenshot of the recovery phrase and save it as an image on their mobile device or sync these images to their cloud photo albums.

This is where the SpyAgent malware comes into action. Here’s how it works:

  • Infiltration: SpyAgent can infect your device through phishing emails, malicious websites or suspicious downloads. Once on the system, it operates silently, avoiding detection by traditional malware defenses.
  • Scanning for images: Rather than focusing on directly hacking wallet software, SpyAgent searches for images and screenshots stored on the device. Many people unknowingly store their crypto wallet recovery phrases or private keys as images for easy access — a vulnerability SpyAgent exploits.
  • OCR technology: Here’s where things get technical. SpyAgent uses OCR to scan these images and extract any visible text, such as wallet recovery phrases or private keys. OCR technology is typically used in legitimate software to convert printed or handwritten text into digital data, but SpyAgent weaponizes this feature to steal critical information.
  • Data extraction and theft: Once SpyAgent detects and extracts the recovery keys, it immediately transmits the data to the attacker. With these keys, the attacker gains full access to the crypto wallet, allowing them to transfer, sell or steal funds with no further intervention.
  • Undetected operation: Since SpyAgent relies on OCR to extract data from images rather than capturing typed input, it can evade detection by most anti-malware programs, making it a stealthier and more sophisticated threat.

This method of stealing crypto keys highlights the growing sophistication of malware, demonstrating the importance of secure storage practices, such as using hardware wallets and encrypted backups, to protect digital assets.

Did you know? Storing your crypto wallet recovery keys as images on your phone or cloud storage can leave you vulnerable to hackers. Keeping these sensitive keys online increases the risk of exposure to cyberattacks and malware. For enhanced security, it is always recommended to store your recovery keys offline, such as in a hardware wallet or on a secure, non-digital medium.

How was the SpyAgent OCR crypto threat detected?

McAfee Labs initially detected the SpyAgent OCR crypto threat while analyzing Android apps involved in unauthorized data collection. These malicious apps masqueraded as legitimate software — banking apps, utility services, government platforms, etc. — and once installed, they silently captured screenshots and images from the device.

Through its investigation, McAfee uncovered over 280 fake apps targeting users in South Korea since early 2024. These apps were sending images containing crypto wallet recovery keys to remote servers, where attackers used OCR technology to extract sensitive information. McAfee researchers discovered that the primary goal of the malware was to obtain mnemonic recovery phrases from cryptocurrency wallets, signaling a direct focus on draining crypto assets.

Timeline of SpyWare campaign discovered by McAfee Research team

According to McAfee, malicious apps (malware) were being distributed via phishing emails disguised as official apps from banks, government agencies, TV streaming services, public utilities, etc. Once installed, this malware sends text messages, contacts, images, etc., from the device to a remote server controlled by the attacker. 

OCR details extracting crypto phrase

SpyAgent malware analysis and evolving threats

Here’s a summary of the key findings on how SpyAgent evolved and continues to target cryptocurrency credentials:

  • Malware overview: SpyAgent employs OCR technology to extract cryptocurrency wallet recovery phrases from images stored on Android devices. These recovery phrases, usually 12–24 words long, are crucial for restoring access to cryptocurrency wallets.
  • Distribution: McAfee identified at least 280 Android applications distributing this malware, primarily outside of Google Play. These apps imitate legitimate services, including government applications, dating sites and adult content platforms.
  • Target regions: The malware predominantly targets users in South Korea but has shown signs of expanding to the UK. There are also indications of a potential iOS variant in development.
  • Data exfiltration: Upon infection, SpyAgent collects sensitive information, including:
    • Victim’s contact list to facilitate further malware distribution via SMS
    • Incoming SMS messages, especially those containing one-time passwords (OTPs)
    • Images that are stored on the device for OCR scanning.
  • Command and control: The malware can receive commands to manipulate device settings or send SMS messages, potentially to distribute further phishing attempts.
  • Security risks: The infrastructure used by SpyAgent operators exhibited poor security practices, allowing researchers to access stolen data and confirm the number of victims.
  • Prevention tips: To stay safe, avoid installing apps from outside Google Play, be wary of suspicious SMS links, and manage app permissions carefully. Thankfully, Google Play Protect offers automatic protection against known variants of such malware.

Did you know? A mid-year crypto crime report by Chainalysis revealed that in 2024, crypto-related scams have become increasingly short-lived, with the average lifespan shrinking from 271 days in 2020 to just 42 days in 2024. This shows that scammers are moving toward quicker, high-profit schemes instead of long-term Ponzi operations, largely due to increased awareness and law enforcement efforts. Be cautious of investment offers that sound too good to be true.

Protecting your crypto from SpyAgent malware

The discovery of SpyAgent emphasizes the need for heightened security when managing crypto assets. Here are some tips to defend against this threat:

  • Avoid storing recovery phrases as images: Keeping your recovery phrase as an image on your device makes you a target for OCR-based malware like SpyAgent.
  • Use hardware wallets: Hardware wallets provide a safer alternative to digital storage, ensuring that your recovery keys are stored offline and out of reach of malicious software.
  • Enable encryption: Always enable encryption on your devices and cloud storage to protect sensitive information.

By adopting these stronger security measures, you can significantly reduce the risk of falling victim to SpyAgent’s tactics. Stay vigilant and safeguard your crypto like the valuable asset it is.

Written by Shailey Singh