A keylogger works by installing itself deep in a device's operating system or browser, then silently logging every character a victim types before that data is bundled and sent back to an attacker's server. Some variants log locally and wait for manual retrieval; others exfiltrate in real time over the internet, often disguised as legitimate background processes to avoid antivirus detection.
Keyloggers reach victims through infected downloads, malicious browser extensions, fake wallet apps, cracked software, or booby-trapped USB drives, and they are frequently bundled with other spyware. Modern strains pair keystroke logging with clipboard hijacking, silently swapping a copied wallet address for the attacker's own, and with screen capture, so a criminal can watch a victim type a seed phrase and see the confirmation screen at the same moment.
For crypto holders the danger is severe because a single logged exchange password or wallet passphrase can drain an account permanently, unlike a stolen credit card number, which can be canceled. Keyloggers are also a common payload delivered through phishing emails and fake support downloads.
- Store recovery phrases offline on paper or metal, never typed into a browser or notes app
- Use a hardware wallet so private keys never touch an internet-connected device, even if it is infected
- Enable hardware-based two-factor authentication rather than SMS or typed codes
- Keep operating systems, browsers, and antivirus software patched and run regular malware scans