TLDR
- Hackers are distributing malware through fake “cracked” versions of TradingView Premium on Reddit
- The malware (Lumma Stealer and Atomic/AMOS Stealer) targets cryptocurrency wallets and can steal credentials
- Scammers actively engage with users in Reddit threads, offering “helpful” assistance with downloading
- Both Windows and Mac users are targeted with platform-specific malware
- Red flags include requirements to disable security software and password-protected zip files
Crypto traders beware: cybersecurity experts have discovered a dangerous scheme targeting digital asset holders through fake “cracked” versions of popular trading software.
Malwarebytes security researchers recently uncovered malware hidden inside counterfeit TradingView Premium downloads. These malicious files are being promoted on cryptocurrency subreddits by scammers claiming to offer free access to premium features.
The scheme works by luring users with promises of free access to TradingView’s premium charting tools. The scammers post download links to what they claim are “cracked” versions of the software that unlock paid features at no cost.
What users actually download are dangerous information-stealing programs. According to Jerome Segura, senior security researcher at Malwarebytes, these malicious downloads contain two different types of malware: Lumma Stealer and Atomic Stealer (also called AMOS).

Lumma Stealer has existed since 2022. It specifically targets cryptocurrency wallets and two-factor authentication browser extensions. This malware is designed to bypass security measures many crypto holders use to protect their funds.
Atomic Stealer first appeared in April 2023. It focuses on capturing sensitive data like administrator passwords and keychain information. Windows users typically receive the Lumma malware while Mac users are infected with AMOS.
The consequences for victims can be severe. Malwarebytes reports that people who downloaded the fake software have had their cryptocurrency wallets emptied. Attackers then use the victims’ accounts to send phishing links to their contacts, spreading the scam further.
What makes this scheme unusual is the level of engagement from the scammers. Unlike typical “drop and run” malware campaigns, these attackers remain active in Reddit threads. They help users troubleshoot download issues and answer questions, creating an illusion of legitimacy.
“What’s interesting with this particular scheme is how involved the original poster is, going through the thread and being ‘helpful’ to users asking questions or reporting an issue,” Segura wrote in the March 18 blog post detailing the threat.
The origin of the attack remains somewhat mysterious. Malwarebytes traced the website hosting the malicious files to a Dubai cleaning company. The command and control server for the malware was registered by someone in Russia approximately one week ago.
Security experts point out several red flags that should warn users about this type of scam. The fake TradingView files are “double zipped,” with the final zip file being password protected. Legitimate software typically doesn’t require such packaging.
Another warning sign is instructions to disable security software before running the program. This request should immediately raise suspicions as it creates an opening for malware to run undetected on your device.
The scammers also include disclaimers stating users download the files “at their own risk.” This attempt to avoid responsibility actually serves as another indicator of malicious intent.
The TradingView scheme is part of a wider trend of malware targeting cryptocurrency holders. Blockchain analytics firm Chainalysis estimates there was $51 billion in illicit transaction volume in the past year.
Only download software from official sources
Cybersecurity experts recommend only downloading software from official sources. TradingView’s legitimate software is only available through their official website or authorized app stores. Any other source should be considered suspicious.
Users should also maintain updated security software and never disable it at the request of a download page. Password managers and hardware wallets provide additional layers of protection for cryptocurrency holders.
The campaign specifically targets crypto communities on Reddit. Scammers know these platforms contain users likely to have digital assets worth stealing. They also rely on users seeking ways to avoid subscription fees for premium services.
For those who may have already downloaded suspicious software, immediate action is required. Changing passwords from a clean device, transferring crypto to new wallets, and running malware scanning tools can help limit damage.
Malwarebytes warns that the “lure of a free lunch is still very appealing” to many users, despite decades of malware distribution through cracked software. This persistent human vulnerability continues to make such attacks effective.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support