Cybercriminals are refining attack methods on cryptocurrency owners by disguising malware as familiar interface elements like CAPTCHA. According to a DNSFilter report, the Lumma Stealer malware, spread through fake CAPTCHA forms, steals cryptocurrency wallet data, passwords, and two-factor authentication (2FA) codes. This sophisticated scheme allows hackers to steal digital assets in minutes, making it especially dangerous for users.
The attack begins with users encountering a fake CAPTCHA form, often on sites imitating banking or financial platforms. For example, in one case, a fake CAPTCHA was found on a site disguised as a Greek bank page. Users were prompted to press the Windows + R key combination to open the "Run" window and insert a command in PowerShell. Executing this command initiates the hidden installation of Lumma Stealer, which bypasses most antivirus programs. The malware gathers confidential data, including passwords stored in browsers, 2FA tokens, private cryptocurrency wallet keys, and access to password managers.
Lumma Stealer uses a fileless execution technique, which makes it difficult to detect with standard protection tools. After activation via PowerShell, the malware scans the system for valuable data such as cryptographic keys and accounts. According to DNSFilter, the attack is linked to domains such as human-verify-7u.pages.dev and recaptcha-manual.shop, which either return an error or execute commands outside the browser. The malware interacts with legitimate browser processes, making it even more stealthy.
Once infected, Lumma Stealer instantly extracts cryptocurrency wallet data, allowing hackers to transfer funds to controlled addresses. Elliptic analysts note that stolen assets can be laundered through decentralized exchanges (DEX) and other platforms in 2–3 minutes, making recovery nearly impossible. This underscores the high speed and effectiveness of modern cyberattacks targeting cryptocurrencies.
Cybersecurity experts strongly recommend users exercise caution when interacting with CAPTCHA forms, especially on unfamiliar sites. Key recommendations include:
Never execute commands in PowerShell or other command lines based on web page instructions.
Use hardware wallets and reliable 2FA methods such as physical security keys.
Regularly update antivirus software and use solutions to filter suspicious domains.
Conduct user training to recognize phishing attacks.
DNSFilter successfully blocks such attacks through content filtering and domain analysis, demonstrating the effectiveness of proactive measures.
Lumma Stealer, disguised as CAPTCHA, presents a serious threat to cryptocurrency users. This attack highlights the importance of digital hygiene and vigilance when interacting with online resources. In an environment where stolen assets can be laundered in minutes, protection requires reliable tools and awareness. Users should avoid suspicious actions and verify the legitimacy of sites to minimize the risk of asset loss.