Private key theft is no longer just another way hackers attack crypto users — it has become a full-fledged business, according to GK8, a crypto custody expert owned by Mike Novogratz’s crypto investment platform Galaxy Digital.
In a report published Monday, GK8 detailed how private key theft has evolved into an industrialized operation, highlighting the rise of black market tools that allow perpetrators to locate and steal someone’s seed phrase.
The study pointed to several tools, such as malware infostealers and seed phrase finders, that can scan files, documents, cloud backups and chat histories to quickly extract a user’s private key, effectively giving attackers full control over their assets.
“For the crypto industry, using secure custody, implementing multi-step approval processes, and enforcing role separation are essential to mitigating the risk posed by this commercialized and constantly evolving threat,” the report states.
It all starts with malware
According to GK8, private key theft is a multi-stage process that usually begins with hackers using malware to steal large amounts of data from an infected device.
Threat actors then feed the stolen data into automated tools that rebuild seed phrases and private keys. After identifying wallets containing valuable assets, attackers assess the security measures to drain the funds.
“These applications perform high-precision mnemonic parsing, transforming raw logs into keys, and are sold for hundreds of dollars on darknet forums,” GK8 revealed in the report.
Malware infostealers, a type of malware designed to silently harvest data from victims’ devices, have been on the rise in recent years, and macOS users are not immune, according to the cybercrime threat intelligence firm Kela.
“Once considered relatively safe due to Apple’s built-in protections, macOS devices are still a target for cybercriminals,” Kela said in a report published Nov. 10, stating that macOS infostealer activity “appears to be peaking in 2025.”
How users can protect themselves
Amid rising private key hacks, users can protect themselves by assuming all local device data could be compromised, never storing seed phrases in digital form, using multiparty approval for transactions and relying on secure custody systems, GK concluded in its report.
“A healthy combination of hot, cold, and impenetrable vault storage is necessary to minimize the asset value exposed to an immediate drain,” GK8 said.
Kela warned that malware infostealers often rely on social engineering, using fake installers, poisoned ads, or phishing campaigns to trick users.
Related: Arthur Hayes tells Zcash holders to withdraw from CEXs and ‘shield’ assets
“To stay safe, users should be extremely careful with attachments and links, avoid software from untrusted sources, and resist scams that exploit macOS’ reputation for security,” Kela said.
The firm also stressed the importance of strong, unique passwords for financial apps, enabling multifactor authentication and keeping macOS and all applications up to date to prevent malware from stealing sensitive information.
Magazine: Saylor denies Bitcoin sell-off, XRP ETF debut tops chart: Hodler’s Digest, Nov. 9 – 15
