CrowdStrike and Google jointly took down the Glassworm botnet this week, a criminal operation that stole cryptocurrency from software developers by draining their wallets. The takedown, announced on Thursday, underscores how attackers are increasingly going after developers — whose machines hold keys, tokens, and access to code repositories — rather than exchanges or DeFi apps directly.
How the Glassworm botnet worked
Glassworm was designed to infect developers' systems and then grab their crypto wallet credentials and private keys. Once inside, the botnet could empty wallets without any obvious signature — no phishing email, no fake airdrop. The malware spread through poisoned open-source packages, meaning developers who downloaded what looked like legitimate libraries were actually installing backdoors. CrowdStrike and Google’s joint investigation showed the botnet had been active for at least six months before the takedown.
Inside the takedown operation
Both companies declined to name specific court orders or technical details of the disruption, but they confirmed they worked together to seize command-and-control infrastructure and block domains used to coordinate the botnet. The operation was part of a broader push by Google’s Threat Analysis Group and CrowdStrike’s Falcon Intelligence unit to cut off the supply chain vector. Google said it also pushed security updates to its package registry tools to flag suspicious uploads.
The Glassworm case is a reminder that open source ecosystems are only as secure as the weakest package. Developers often pull hundreds of dependencies a day, and a single compromised library can hand attackers access to wallets, tokens, and SSH keys. The takedown doesn't fix the underlying problem — malicious packages can still slip through — but it does put package managers and security vendors on notice. CrowdStrike and Google haven't disclosed whether any stolen funds were recovered, and it's unclear how many developers were hit. What's clear is that the botnet's operators were betting on developers being too busy to vet every dependency. That bet didn't pay off this week.
