Minecraft users targeted by criminals posing as game coders
The malicious software targeting gamers was described as a "digital verruca" that "buries itself into the machine" by the team that discovered it.
Friday 20 June 2025 14:12, UK
Minecraft users are being targeted by criminals posing as game coders online.
Analysts tracked two pieces of malware spread by what appears to be Russian gangs on the code-sharing site GitHub, , according to cybersecurity firm Check Point.
Its researchers said: "The malware is developed by a Russian-speaking threat actor and contains several artefacts written in the Russian language."
Thousands of Minecraft users have already been tricked into using the malware, which is designed to steal from bank accounts, cryptocurrency wallets, browsers and other computer applications.
Graeme Stewart, head of public sector at Check Point, said it was similar to the way "gangs operate to take down retail... they create this and then they flood it out to people and people then use it".
He described them as "modern-day bank heist guys".
"They're just in it for the money," he said. "They're scraping these details from Minecraft to get into people's crypto wallets, trying to steal bank details, trying to commit bank fraud."
The hacking software is hidden within the code of Minecraft modifications, which are pieces of code that allow users to change the game.
Minecraft allows users to modify the game as they play - players can do anything from fixing bugs to changing how the game looks.
But when players download the malicious code and place it into their Minecraft application, they don't get the ability to create "funny maps" or modify the game as promised.
Instead, the next time they load Minecraft, the malware will trigger, and soon, "it will start actively stealing data", according to Mr Stewart.
"Most people have got their cards saved onto their browser and things like that, it'll start stealing that, names, addresses, emails, bank details, anything.
"If anyone's got a crypto wallet that they use through the browser, then it'll steal that as well."
"It's like a digital verruca, it buries itself into the machine and then starts sucking the information out," said Mr Stewart.
Of the 200 million people thought to play Minecraft every month, around one million modify the game, and a lot of the code they use to do that is posted on GitHub.
According to Ofcom, around 1.7 million gamers play Minecraft in the UK.
A Minecraft spokesperson told Sky News that player safety is a "top priority for us" and the company is "committed to investigating reported security violations".
"When we receive reports of content that does not comply with our usage guidelines, we take action as appropriate," they said.
"We encourage players to report any suspicious content through our official website and leverage our resources to make informed choices."
Hackers are increasingly targeting gamers in this way, with the UK's National Cyber Security Centre warning families to stay alert to dangerous downloads like this.
"There were some of us who thought it was only a matter of time before this particular vulnerability starts getting exposed en masse," said Dr Harjinder Lallie, a cyberattack academic at the University of Warwick.
"That's where we're going now."
Although children may fall prey to this kind of attack, the group Dr Lallie and his colleagues worry about more are "young adults who have admin [rights] on their own computer".
"They're just a bit more savvy. They really want that mod; they want those extra features. And if it means [they] have to turn off the Microsoft Defender system for two minutes while [they] install it, then [they'll] turn it off, install that mod, and then turn it back on afterwards. By that time, the damage has been done," said Dr Lallie.
Read more from Sky News:
'Staggering' security breach at RAF base
'The next sexual violence epidemic facing schools'
SpaceX rocket explodes into giant fireball
Follow our channel and never miss an update
Be the first to get Breaking News
Install the Sky News app for free
The users mentioned in the report had already had their accounts disabled and GitHub told Sky News it is "committed to investigating reported security issues".
"We disabled user accounts in accordance with GitHub's Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms," said a spokesperson.
The company also has teams dedicated to finding and removing malicious content as well as using AI and humans to monitor the site at scale, according to the spokesperson.