Is the US targeting Solana devs in Russia with crypto ‘infostealers’?
Russian Solana devs are being targeted by “infostealer” malware, possibly deployed by US state-sponsored actors, according to research by software supply chain security firm, Safety.
The findings, published by Safety’s Head of Research Paul McCarty, led to speculation from security news outlet The Register, that it could point to an attempt from the US to disrupt Kremlin-linked ransomware gangs.
According to McCarthy’s research, a threat actor using a cryptocurrency-focused “infostealer” dubbed “Solana-scan” has been targeting Solana community members with Russian IPs.
The malicious packages, “solana-pump-test” and “solana-spl-sdk,” were uploaded to the JavaScript registry NPM by someone with the username “cryptohan.” They pretend to scan “for Solana SDK components” while stealing data on crypto credentials and owned tokens.
“Cryptohan” is a popular moniker in the crypto community and was presumably chosen to give the malware an “illusion of legitimacy.”
Read more: Turkish crypto exchange BtcTurk hacked for $49M after $55M loss last year
What’s particularly unique, says McCarty, is that the infostealer is sending the stolen data to “command and control servers” with US IP addresses.
Combine this with the fact that victim IP addresses are from Russia, and McCarty speculates that the attacks could be the work of “a state-sponsored actor.”
Indeed, The Register suggests, these victims could be members of Russian ransomware gangs that have plagued US infrastructure for years while demanding cryptocurrency payments.
Also noteworthy is that the malware appears to have been “vibe-coded” — a software development technique that relies on large language models to generate code.
As McCarty points out, the JavaScript payload has the hallmarks of “generative AI tools like Claude.”
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.