Needle is a modular malware-as-a-service platform built specifically for cryptocurrency theft. Unlike generic stealers that harvest everything and sort credentials later, Needle is purpose-built around two attack surfaces: desktop cryptocurrency wallet applications and browser-based wallet extensions. Its architecture is designed to be operated by non-technical affiliates through a web-based admin panel, with infrastructure and payload delivery handled by the platform operators.
Researchers at Beelzebub obtained access to an active Needle deployment and conducted a full technical analysis. At the time of analysis, the operation had 1,932 confirmed victims across two active modules and was acquiring three to five new victims every few hours. On-chain analysis confirmed active fund movement across Bitcoin, Litecoin, Dogecoin, Solana, TRON, and EVM-compatible chains.
The analysis also revealed a critical operational security failure by the platform operators that gave researchers full access to the victim database, operator activity logs, and withdrawal configuration. More on that below.
Needle operates through two distinct attack modules that can be deployed independently or together.
The desktop component is a Rust executable that impersonates three widely used cryptocurrency wallets: Exodus, Trezor, and Ledger. The binary presents a convincing Restore Wallet interface, the same screen shown when a user is recovering access to an existing wallet using their seed phrase.
This is a deliberate choice of attack surface. Seed phrase entry is a normal, expected part of wallet recovery. Users who encounter a Restore Wallet prompt are typically less suspicious than users asked to enter credentials on an unfamiliar login page. They're doing something they've done before, on what appears to be a trusted application.
The moment a victim enters their seed phrase, the platform triggers automated fund transfers to attacker-controlled addresses. The transfers happen immediately and are irreversible. There's no window for the victim to cancel once the phrase is submitted.
Binaries ranged from 5MB to 50MB. Persistence was achieved through a registry Run key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ensuring the spoofer restarts with the user's session.
The browser component targets three widely used browser-based cryptocurrency wallet extensions: MetaMask, Phantom, and Trust Wallet. The malicious extension either replaces the legitimate wallet extension or intercepts its communications, depending on the deployment method.
From the victim's perspective, the wallet looks completely normal. Icons, interfaces, and transaction histories are preserved. The user interacts with what they believe is their real wallet while the extension harvests credentials, private keys, and session tokens and transmits them to the Needle C2 server.
The browser variant is particularly dangerous because browser extensions are trusted at a deep level by the applications that use them. Most users don't audit their installed extensions, and malicious extensions frequently persist for months before being identified.
Needle's operators made a fundamental error in building their Rust agent: the C2 API key was embedded in the binary in plain text, with no encryption or obfuscation. Any researcher who obtained a sample could extract it directly without any reverse engineering complexity.
Beelzebub extracted the key and used it to query the Needle C2 API directly. The API had no additional authentication layers beyond the embedded key. It returned the complete victim database, the full withdrawal configuration showing attacker-controlled wallet addresses across six blockchains, and operator activity logs.
The admin panel compounded the failure with client-side-only authentication: credential validation was performed in JavaScript in the browser rather than server-side. Anyone who knew the panel URL could bypass the login screen entirely by manipulating the client-side state.
These aren't sophisticated vulnerabilities. They're fundamental implementation errors that suggest the platform was developed rapidly without security review. The irony: a malware platform built to exploit users' failure to verify software made the same verification failure in its own infrastructure.
On-chain analysis of the attacker-controlled addresses confirmed active fund movement during the period of analysis. The Ethereum address showed $148 in ETH drained to three cold wallets. The TRON address held $60 in USDT and TRX during active collection.
These amounts reflect a single snapshot. The operation had nearly 2,000 victims and was adding new ones continuously. The attacker-controlled addresses are rotated, and the platform runs across six blockchain networks simultaneously. The total funds moved through the full operational period is substantially higher than any point-in-time snapshot suggests.
The malware-as-a-service model also means the platform operators take a cut of every theft, making the infrastructure profitable regardless of how skilled individual affiliates are. The barrier to running a crypto-stealing campaign drops to the cost of a Needle subscription.
Platforms like Needle represent a structural shift in the threat landscape. Indicators of compromise from these platforms are harder to detect at the perimeter because the delivery mechanism is social engineering, not network intrusion. The malware arrives because a user was deceived into installing it.
For organisations, the risk extends beyond individual employees' personal wallets. Enterprise treasury management increasingly involves digital assets. Employees with administrative access to company cryptocurrency holdings are high-value targets. A successful Needle infection on a finance team member's device can have consequences well beyond personal financial loss.
The browser extension attack vector is also relevant in contexts entirely unrelated to cryptocurrency. Malicious extensions can harvest credentials for SaaS platforms, internal tools, and corporate VPNs. An employee who installs a malicious crypto wallet extension is also exposing every other authenticated session in that browser.
Understanding your organisation's attack surface means accounting for the devices and software your employees use, including what they install in their browsers.
The following indicators are relevant if you're investigating a potential Needle infection or assessing whether your environment may be at risk:
antiledger-v2/seed-phrasesHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for unexpected entries pointing to Rust executables in user directories.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and investigate any pointing to executables in user-writable directories.Needle is one of dozens of active malware-as-a-service platforms targeting cryptocurrency. The pattern across all of them is consistent: lower the technical barrier for attackers, monetise the infrastructure through affiliate fees, and scale by recruiting operators who pay for access to the platform.
The operational security failures in the Needle analysis (plain-text API keys, client-side-only authentication) suggest rapid development that prioritised functionality over security. This is a recurring pattern in criminal MaaS platforms: they're built quickly, updated frequently, and often contain the same kinds of vulnerabilities they exploit in their victims.
For defenders, this creates intelligence opportunities. Platforms like Needle leave traces in their infrastructure, their binaries, and their operational patterns. Proactive threat intelligence catches these platforms before they reach your users. Reactive incident response catches them after credentials have already been stolen.
Distribution isn't handled by the Needle platform itself: that's left to individual affiliates. Common delivery methods include trojanised software downloads (a fake wallet app distributed through unofficial channels), malvertising (paid ads directing users to convincing fake download pages), and phishing messages targeting cryptocurrency communities. The platform is agnostic to how it reaches the device. It only handles what happens after installation.
Detection rates vary. Rust-compiled binaries are less commonly detected by signature-based antivirus than comparable C or C++ malware, particularly when freshly compiled for each campaign. Behavioural detection is more reliable: alerting on a process that creates a registry Run key or makes outbound connections to known C2 infrastructure will catch what signatures miss. Maintaining updated EDR tools and monitoring the specific indicators listed above is more effective than relying on traditional antivirus alone.
Act immediately. Your funds are at risk from the moment the phrase is submitted. Transfer any remaining assets in the compromised wallet to a new wallet with a new seed phrase, generated on a different, clean device. Don't use the same device that was compromised. The attacker has full control of any wallet associated with that phrase and can drain it at any point, including after you believe the incident is over.
Both. Individuals who hold personal cryptocurrency are direct targets. Businesses that manage treasury assets in cryptocurrency, process payments in digital assets, or have employees who use browser-based wallets are also at risk, potentially with much larger financial exposure. The browser extension attack vector is particularly relevant for enterprise environments because it can harvest credentials for corporate applications alongside personal wallet data.
The Needle Rust agent embedded the C2 API key in plain text in the binary. Beelzebub extracted the key directly from a malware sample and used it to query the C2 API, which returned the full victim database with no additional authentication required. The admin panel's client-side-only authentication was also trivially bypassed. These are fundamental implementation failures, not sophisticated vulnerabilities. The platform operators applied no meaningful protection to their own infrastructure.
Source: Beelzebub Research, March 2026
