Fake Pixelmon NFT site infected with password-stealing malware

The Trust Project is a worldwide group of news organizations working to establish transparency standards.

Cybersecurity image featuring lock and globe with circuits superimposed over them
Image by Tumisu / Pixabay

According to a report from Bleeping Computer, an authentic-looking Pixelmon NFT website offering collectibles and tokens for free is a honeypot that downloads malicious password-stealing software to users’ computers.

Pixelmon is a Pokemon-inspired, blockchain-based RPG that lets players traffic in Pixelmon creatures as nonfungible tokens (NFTs). It’s surprisingly popular given its inauspicious beginning, which, as CNET noted, made it a “laughingstock” on social media after the game’s low-quality images were revealed.

Pixelmon has around 25,000 members and about 200,000 followers between its Discord and Twitter accounts. For the cybercriminals who set up the malware-infested site, that’s a pretty large pool of potential victims.

Bleeping Computer explains how scammers set up the fake:

To take advantage of this interest, threat actors have copied the legitimate pixelmon.club website and created a fake version at pixelmon[.]pw to distribute malware… This site is almost a replica of the legitimate site, but instead of offering a demo of the project’s game, the malicious site offers executables that install password-stealing malware on a device.”

Security researchers specializing in malware detection found several malicious payloads connected to the site, including the Vidar password-stealer. If this makes it onto your machine, it will start funneling loads of sensitive data back to the bad actors’ command and control servers. This makes NFT collectors especially vulnerable because it could lead to a compromised cryptocurrency wallet.

It’s worth echoing a warning from Bleeping Computer that NFT-related websites are delicious targets these days, so it’s a good idea always to make sure you’re visiting the site you were seeking. It’s an easy bet to say that this isn’t the only fake, and scammers will keep making them as long as they can make a buck or three off the unwary.

Read related posts:


All of the information on our website is provided in good faith and solely for educational reasons. Any action taken by the reader in response to material on our website is entirely at his own risk.

Steve Huff

Managing editor, mpost.io. Former Deputy Digital Editor, Maxim magazine. Bylines in Observer, Inside Hook, Android Police, Motherboard. Author of official "Better Call Saul" tie-ins "Don't Go to Jail," and "Get off the Grid."

Follow Author

More Articles

Leave a Reply

Your email address will not be published. Required fields are marked *