Private key theft has transitioned from a common hacking method to a fully operational business, according to GK8, a crypto custody expert owned by Galaxy Digital, Mike Novogratz’s crypto investment platform.
In a report published Monday, GK8 detailed how private key theft has evolved into an industrialized operation, highlighting the rise of black market tools that allow perpetrators to locate and steal a user’s seed phrase.
The study pointed to several tools, such as malware infostealers and seed phrase finders, that can scan files, documents, cloud backups, and chat histories to quickly extract a user’s private key, effectively giving attackers full control over their assets.
“For the crypto industry, using secure custody, implementing multi-step approval processes, and enforcing role separation are essential to mitigating the risk posed by this commercialized and constantly evolving threat,” the report states.
The Malware Foundation of Private Key Theft
According to GK8, private key theft is a multi-stage process that typically begins with hackers employing malware to steal large volumes of data from an infected device.
Threat actors then utilize automated tools to process the stolen data, enabling them to reconstruct seed phrases and private keys. Once wallets containing valuable assets are identified, attackers proceed to assess the security measures in place before attempting to drain the funds.
“These applications perform high-precision mnemonic parsing, transforming raw logs into keys, and are sold for hundreds of dollars on darknet forums,” GK8 revealed in the report.
Malware infostealers, a specific type of malware designed for the silent harvesting of data from victims’ devices, have seen a notable increase in recent years. Cybercrime threat intelligence firm Kela indicates that macOS users are not immune to these threats.
“Once considered relatively safe due to Apple’s built-in protections, macOS devices are still a target for cybercriminals,” Kela said in a report published November 10, noting that macOS infostealer activity “appears to be peaking in 2025.”
User Protection Strategies Against Evolving Threats
Amidst the escalating number of private key hacks, users can enhance their security by adopting several key practices. GK8 recommends assuming that all local device data could potentially be compromised, never storing seed phrases in digital form, employing multiparty approval for transactions, and relying on secure custody systems.
“A healthy combination of hot, cold, and impenetrable vault storage is necessary to minimize the asset value exposed to an immediate drain,” GK8 advised.
Kela has warned that malware infostealers frequently leverage social engineering tactics. These methods often involve fake installers, poisoned advertisements, or phishing campaigns designed to deceive users into compromising their security.
To maintain safety, users should exercise extreme caution with attachments and links, avoid downloading software from untrusted sources, and be vigilant against scams that exploit macOS's reputation for security.
The firm also emphasized the critical importance of using strong, unique passwords for all financial applications. Additionally, enabling multifactor authentication and ensuring that macOS and all installed applications are kept up to date are vital steps in preventing malware from accessing sensitive information.