Brazilian crypto holders are being urged to be vigilant for a sophisticated hacking campaign that includes a hijacking worm and banking trojan distributed via WhatsApp messages.
According to a new report from Trustwave’s cybersecurity research team Spiderlabs, the banking trojan, known as the “relentless thief” is being pushed through Social Engineering in messaging application WhatsApp like “fake government programs, delivery notices,” messages from friends and fraudulent investment groups.
“WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, using the platform’s immense popularity to distribute banker trojans and information-stealing malware,” said Spiderlabs Researcher Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi.
Explaining the process in Layman’s terms, clicking on the WhatsApp worm link sets off a chain reaction that infects the victim with both the worm and the banking trojan.
The worm hijacks the account and obtains the victim’s contact list. It uses “smart filtering” to ignore business contacts and groups to target individual contacts for a more efficient process.
Meanwhile, the banking Trojan is an automatic download to the victim’s device that throws an endless thief in the background, able to scan for financial data and logins to a range of Brazilian banks and fintech or crypto exchanges.
Related: Crypto private key theft is now big business: here’s what to know
Malware also has clever ways to avoid detection or shutdown. Instead of having a fixed server address, it uses a pre-set Gmail account to check for new commands via email. This allows hackers to modify commands by sending new emails.
“A prominent feature of this malware is that it uses hardcoded credentials to log into its email account, where it has obtained the C2 server. This is a very clever way to update C2, cannot connect, and avoid detections or takedowns at a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address,” the report reads.
According to data from the Crypto Analytics Platform Chainalysis, Brazil is the largest country for crypto adoption in Latin America, and rank Fifth in the 2025 Global Crypto Adoption Index Top 20.
The index is based on countries’ use of different types of crypto services, and takes into account other factors, including population size and purchasing power.
How to stay safe
Users of apps like WhatsApp are advised to tread with caution on any link sent to them, even from a trusted contact.
A useful tactic might be to message them in a separate app to confirm if the link is okay, and be suspicious of a link sent out of the blue with limited context provided.
Keeping software updated can also help protect people from potential bugs that target older versions, while anti-virus software can also help flag issues.
If someone is hacked, it is important to immediately freeze all potential access points to banking and crypto services to stop the bleeding. Funds tracking can also help exchanges, researchers or authorities track where assets go, potentially helping them freeze hacker wallets.
Magazine: ‘Help! My robot vac is stealing my bitcoin’: When smart devices attack
