TrickMo malware is now using the TON▲$1.73 blockchain for hidden communications in attacks on bank and crypto wallet users in Europe.
TrickMo, an Android banking trojan active since 2019, has added a new hiding layer by moving its command traffic onto The Open Network, or TON, according to new research from ThreatFabric, a Netherlands-based cybersecurity firm.
The new version, tracked as TrickMo.C, has been active since at least January 2026 and targets banking, crypto wallet and authenticator apps in France, Italy and Austria, the research found.
- ThreatFabric also said the malware is being pushed through campaigns disguised as TikTok or live-streaming apps.
The stealing techniques used by TrickMo aren’t entirely new. After gaining access to the app, TrickMo can present phony banking login pages, take screenshots and even manipulate the phone remotely.
Read also: THORChain Exploit Alert Points to More Than $7.4M in Losses
However, the crucial aspect lies in the fact that TrickMo no longer communicates through traditional internet domain names that could be easily intercepted, but rather uses the TON blockchain as its infrastructure.
The malware does this through hidden .adnl addresses, TON’s own alternative to normal website domains, and an embedded TON proxy running on the infected phone.
As ThreatFabric explained “traditional domain takedowns are largely ineffective” because the operator endpoints don’t rely on public DNS, while network defenders mostly see encrypted TON traffic that can blend in with other TON-enabled apps.
Blockchains Become Malware Tools
The upgrade further enables attackers to leverage infected devices for launching additional attacks on the network. The malware is capable of probing web servers, tracing network routes, and tunneling through the infected device.
But TrickMo isn’t the first malware to use blockchains this way. Google said in 2021 that the Glupteba botnet, which infected about 1 million Windows devices, used the Bitcoin blockchain as a backup command system to recover server addresses after takedowns.
The tactic has since spread. Google’s Threat Intelligence Group said North Korea-linked UNC5342 used Ethereum and BNB Chain from February 2025 to hide malware components in smart contracts.
Solana has also appeared in malware infrastructure. The GlassWorm supply-chain campaign, active since at least March 2025, used Solana as a command-and-control channel while stealing developer tokens, credentials and secrets from compromised GitHub repositories.
Read more: Ripple Begins Sharing North Korean Hacker Intelligence With Crypto Industry
