Microsoft announced Tuesday that its researchers observed the emergence of a threat type of malware that is collecting and exfiltrating data directly from cryptocurrency wallets.

In a blog post by the Microsoft 365 Defender Research Team, they’re calling the information-stealing malware “cryware.” The crypto wallets, also known as “hot wallets,” are stored locally on a device and provides easier access to cryptographic keys needed to perform transactions, the researchers wrote.

Instead of depending on ransomware targets to manually transfer cryptocurrency as ransom payment or using cryptojackers to mine crypto, attackers using cryware can target hot wallet data to quickly transfer the cryptocurrencies to their own wallets. 

“Unfortunately for the users, such theft is irreversible: blockchain transactions are final even if they were made without a user’s consent or knowledge,” the researchers wrote. 

The attackers use clipping and switching, memory dumping, phishing and other scams to attempt to steal hot wallet data.

The Microsoft researchers provided details of the attack surfaces, as well as best practices for securing cryptocurrency transactions, which include locking hot wallets when not actively trading and disconnecting sites connected to the wallet.