Coordinated takedown on May 26 severed Glassworm's four C2 channels. The botnet compromised 300+ open source packages and targeted 49 wallet extensions using Solana memos.
A coordinated operation on May 26 simultaneously severed all four command-and-control channels of the Glassworm botnet, a malware network that compromised over 300 open source packages and specifically targeted 49 types of cryptocurrency wallet extensions. The takedown, executed by CrowdStrike, Google, and the Shadowserver Foundation, cut off operators assessed to be likely based in Russia from their infected systems in one move.
Glassworm did not rely on a single server. It built a resilient, multi-layered C2 system using Solana blockchain transaction memos, BitTorrent DHT, Google Calendar events, and traditional servers. The botnet was self-propagating across Windows, macOS, and Linux, and used hidden Unicode characters to evade code review.
For the crypto sector, the takedown removes an active threat to wallet credentials. The architecture of the attack raises a broader question: how future botnets might use public blockchains as immutable communication layers.
The operation targeted all four C2 channels at once, preventing the operators from re-establishing control. The botnet had been active since early 2025, giving it roughly 18 months to operate before the takedown.
By hitting all four simultaneously, the takedown avoided the common failure mode where botnet operators switch to a backup channel after a single server seizure.
The malware spread through trusted developer tools and package registries. It compromised packages across:
Over 300 packages were infected. The botnet was self-propagating: once it landed on a system, it could spread to other packages and extensions without manual operator input. Hidden Unicode characters made malicious code invisible to human reviewers.
Developers who install packages from these registries without rigorous verification during the botnet's active window may have compromised machines. If those machines also hold cryptocurrency wallet extensions, the credential theft risk is direct.
Blockchains are censorship-resistant by design. By embedding instructions inside on-chain transaction memos, the operators created a communication layer that is publicly accessible, immutable, and difficult to censor without disrupting the entire blockchain. The takedown succeeded because the other three channels were also disrupted, not because the Solana memos were removed.
For the crypto sector, this is a signal that blockchain infrastructure is being weaponized for command-and-control. Exchanges and wallet providers may need to monitor on-chain patterns for signs of botnet activity.
The botnet targeted 49 different types of cryptocurrency wallet extensions. The source does not name the specific extensions. The breadth suggests coverage of major browser-based wallets across Ethereum, Solana, Bitcoin, and other ecosystems.
The immediate action is to audit installed packages and extensions. For developers, scanning for known malicious packages from the Glassworm campaign is a first step. For crypto holders, using hardware wallets or dedicated devices for transactions reduces exposure to browser-based credential theft.
For broader context on how crypto infrastructure is evolving under security threats, see our crypto market analysis. For guidance on secure wallet storage, review our list of best crypto brokers.
The Glassworm takedown is a win for supply-chain security. The use of Solana as a C2 channel is a reminder that blockchain's censorship resistance cuts both ways. The next botnet may not have three other channels to disrupt.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.