How Big of a Threat to Your Crypto is Scandalous Pegasus Spyware?

Sead Fadilpašić
Last updated: | 6 min read

A data leak revealed a malware that may have been used for spying on human rights activists, journalists, and lawyers across the world. It infects people’s Android and iOS devices, extracting all the existing information. Yet, the threat doesn’t seem to be that large for crypto users, according to security experts speaking to, both for technical reasons, as well the fact that ‘regular’ people aren’t typically such tools’ targets. That said, the risk is still there – even if all the passwords are stored safely.

Source: Adobe/Ascannio

The Guardian reported, citing “an investigation into a massive data leak” done with 16 other media organizations, that a piece of malware called Pegasus, coming from the Israeli surveillance company NSO Group, has been sold to authoritarian regimes, which used it to target pro-democracy activists and journalists investigating corruption, as well as political opponents and government critics.

NSO Group insists the tool is only intended for use against criminals and terrorists, the report said.

The leak, however, reportedly contains a list of more than 50,000 phone numbers that “have been identified as those of people of interest by clients of NSO since 2016” – including the numbers of more than 180 journalists, and even those of close family members of a country’s ruler.

At least ten governments, believed to be NSO customers, were entering numbers into a system, while the phone numbers spanned more than 45 countries across four continents.

This was done possibly ahead of a surveillance attack.

“Forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware,” stated the Guardian.

Pegasus is a spyware, first discovered as an iOS version in 2016, and later for Android as well. According to Dmitry Galov, Security Researcher from the GReAT (Security Researcher, Global Research & Analysis Team) at cybersecurity firm Kaspersky, the main infection scheme is sending an SMS with a link to the victim, and if they click on it, the device gets infected with the spyware. Also, in order to infect iOS, the spyware exploits zero-day vulnerabilities found in the system.

Even back in 2017, Pegasus for Android was able to read SMS and emails, listen to calls, take screenshots, and access contacts and browser history, among other functionalities, he said.

As for how this could affect crypto, according to Galov, “Pegasus seems to be able to carry out a lot of different actions, including recording keystrokes and accessing various data on the phone.”

If the passwords to crypto wallets are kept on the phone, the risks are clear, he told But even if the passwords are stored securely, there still might be risks, cautioned Galov.

However, the Security Researcher noted that Pegasus is a spyware and its purpose, per public information, is primarily collecting information from specific individuals rather than a financial crime.

“Still, there are different types of mobile malware that are capable of stealing cryptocurrency (such as Cerberus, for instance). The best advice here would be using a reliable security solution and not storing passwords on the device, unencrypted,” he said.

Per the Kaspersky team’s explanation, Pegasus is a complex and expensive malware, and it is designed to spy on “individuals of particular interest, so the average user is unlikely to encounter it.”

Another expert finds that Pegasus is not necessarily a major threat to crypto users, though caution is always in order.

Gina Kim, a South Korean IT security expert based in Seoul told that, not having seen it in person, “it’s quite difficult to say if this piece of ‘spyware’ could affect crypto apps or not at this stage.”

However, multi-factor authentication systems seem to be of help in these situations.

Per Kim, most major South Korean crypto exchange apps “use fairly sophisticated two or three factor authentication systems that are relatively resistant to most forms of hacking and phone-based malware.”

However, a spyware – as the name indicates – poses an arguably large threat to an individual’s or organization’s privacy in either case.

“It is true that such spyware can spy on what and how many cryptocurrencies the user has, degrading their privacy,” said for Tomáš Sušánka, Chief Technology Officer (CTO) at SatoshiLabs, the maker of hardware wallet Trezor.

However, per Sušánka, when it comes to Trezor specifically, those behind the spyware can’t manipulate the cryptocurrency in the wallet unless the user physically approves it. The wallet has the so-called trusted display – therefore, all transactions need to be confirmed by the user on Trezor’s screen, not in any other application or website. “So even in such cases where the phone is affected by malware, Trezor shows the data it actually works with on its display,” meaning that “the malware can’t e.g. send coins to their address, etc,” he said.

As Pegasus targets Android and iOS devices specifically, Trezor is not affected directly, said the CTO, adding that “the wallet runs single-purpose custom software which is written and maintained by SatoshiLabs and fully open-source for audibility.”

It is worth distinguishing between two concepts: spyware and vulnerabilities, said Kaspersky’s Galov. Pegasus is a spyware that, in order to infect iOS, exploits zero-day vulnerabilities – those that the developer does not know about and for which a fix has not yet been released. Still, these, when found, can be exploited by cybercriminals to implement a variety of types of attacks, including targeted attacks.

Both spyware and zero-day vulnerabilities can be sold and bought on the darknet by various groups, on the darknet, and the price of vulnerabilities can reach USD 2.5m – which is “how much was offered in 2019 for the full chain of vulnerabilities in Android,” Galov said. He added that, “interestingly, that year, for the first time, an Android vulnerability turned out to be more expensive than an iOS vulnerability.”

Generally speaking, the best way to stay protected against such tools as Pegasus is to “provide as much information on these cases as it possible, to related software and security vendors,” said Galov. “Software developers will fix the vulnerabilities exploited by the attackers and security vendors will take measures to detect and protect users from them.”

Meanwhile, Paolo Ardoino, CTO at crypto exchange Bitfinex, advises all cryptocurrency users to “store funds that are not being held for trading purposes offline in cold storage using a hard wallet device.”

“The public and private keys are at the heart of all available crypto wallet solutions,” added crypto exchange OKEx’ CEO Jay Hao. When a cold wallet is completely isolated from a network and 95% of funds on the exchange are stored in the cold wallet, “they can be compromised by viruses and attacked when connected to a network.” Therefore, the CEO said that OKEx cold wallet private keys adopted the Advanced Encryption Standard (AES), which is a type of algorithm commonly used by various government agencies and major financial institutions.

With additional reporting by Tim Alper.
Learn more:
Holding The World To Ransom: Top 5 Online Gangs
Crypto Scammers Now Stalking Dating Apps Like Tinder for Prey

Ledger Hack Saga Continues: Scammers ‘Gifting’ Fake Hardware Wallets
How NOT To Lose Your Bitcoin

Security Firm Develops ‘Crypto Bunker’ That’d Make a Bond Baddie Blush
MIT Bitcoin Expo 2021: Security and Privacy

Crypto-Stealing Malware Targets At Least 6.5K Victims
‘North Korean’ Hackers Target Crypto Exchanges, Spread Viruses in Word Doc
(Updated on July 21, 10:13 UTC, with comments from Bitfinex and OKEx.)