• Written in C++, it scans the user’s “User Data” folders in browsers to extract session tokens, allowing hackers to bypass login screens.
  • The malware is often hidden inside fake “holiday giveaway” links, pirated games, or fraudulent “free mint” NFT offers.
  • It specifically hunts for browser cookies, saved credit cards, and crypto wallet extensions like MetaMask and Phantom.

While you’re exchanging gifts, hackers are busy taking them. Researchers have noticed a big rise in SantaStealer activity. This spyware turns your digital Christmas into a financial nightmare.

Unlike ransomware, SantaStealer is not detected. It is a “infostealer,” which is like a digital pickpocket that breaks into your computer, steals your most important passwords, and then leaves without you knowing.

Threat information points to the fact that this strain has grown. The early versions were hard to use, but the 2025 version is faster and easier to use. It was made for the busy Christmas shopping season when people are less careful about clicking links.

SantaStealer goes after your portfolio as well as your email password.

After being installed, which usually happens when a victim clicks on a bad website that says “Free Holiday Crypto” or downloads a bad file, the malware looks for certain folders on the computer. It goes after SQLite databases in Chrome, Edge, and Brave.

What does it matter? “Session cookies” are saved by your browser. If hackers get your active session cookie, they can get into your email or exchange accounts without your password or 2FA code.

Web3 wallets are at the top of the malware’s “naughty list.” It looks for local data files for browser extensions like:

  • MetaMask
  • Phantom (Solana)
  • Coinbase Wallet
  • Rabby

Attackers can brute-force encryption or import session data to steal money after exfiltrating these files to a Command and Control (C2) server.

This malware works because it spreads. Security companies say that phishing attacks that use social engineering have gone through the roof.

Hackers often send “Exclusive Christmas NFT Drops” or “End of Year Trading Bonuses” to Discord and X (formerly Twitter). The URL tells the user to download a small program, usually a PDF or image viewer, that runs SantaStealer in the background.

A study on similar infostealers says these methods work because they take advantage of FOMO at the end of the year.

The creation of SantaStealer shows that self-custody needs to be watched all the time. No matter how good the deal sounds, security experts say you shouldn’t download executable files from sites you don’t know.

Using a hardware wallet like Ledger or Trezor gets rid of this risk. Even if SantaStealer gets into your PC and steals browser data, it can’t move money without your Hardware wallet’s physical confirmation.