A botnet called Glassworm that hijacked crypto wallet credentials via poisoned open-source supply chains has been dismantled by CrowdStrike and Google. The operation, confirmed this week by the two security firms, cut off the infrastructure that let attackers inject malicious code into popular developer libraries and harvest private keys and seed phrases from thousands of wallets. The takedown is a rare joint effort between a cybersecurity vendor and a major tech platform, and it underscores how crypto theft has moved beyond exchanges and into the software that powers them.
How the botnet worked
Glassworm didn't target end users directly. Instead, it compromised open-source packages that developers rely on—think npm, PyPI, or similar registries. Once a developer installed a tainted library, the botnet could silently extract any cryptocurrency wallet credentials stored on that machine or passed through it. The attackers essentially turned trusted code into a backdoor. CrowdStrike and Google say they've been tracking the operation for months, and the takedown involved seizing command-and-control servers and sinkholing domains the botnet used to phone home.
Who was affected
The specific number of compromised wallets isn't public yet, but the security firms say victims span both individual traders and small crypto businesses. Because the attack vector was open-source software, anyone who used a compromised package—often without knowing it—could have had their credentials lifted. That makes the breach hard to detect after the fact. CrowdStrike and Google have released indicators of compromise so developers and exchanges can check their systems.
What happens next
Google has notified the maintainers of the affected open-source projects and pushed updates to purge the malicious code. CrowdStrike is urging crypto platforms to rotate any API keys or credentials that may have touched compromised libraries. The botnet itself is offline, but the same supply-chain method will almost certainly be reused. The question now is whether the open-source ecosystem can move faster to vet contributions—or if this takedown is just a temporary win in a longer fight.
