Trojan Pony Botnet
Trojan Pony Botnet stole $220,000 from online wallets
Trojan Pony Botnet
Trojan Pony Botnet stole $220,000 from online wallets

A trojan named “Pony” has been blamed for stealing more than $220,000 worth of cryptocurrencies from users’ online wallets. Many of those users may still be unaware of their loss.

Please note that a client wallet hosted on your PC or phone is not affected by this security alert.


Not Only Bitcoin

The trojan Pony, which operated as an advanced botnet between September 2013 and mid-January 2014, stole approximately 700,000 online credentials and successfully compromised 85 online wallets containing a range of cryptocoins – including Bitcoin.

At the time of writing, Trustwave’s Spiderlabs, has found evidence of the following amounts being transferred out of online wallets by the trojan:

~ 355 BitCoins

~ 280 LiteCoins

~ 33 PrimeCoins

~ 46 FeatherCoin


Other cryptocurrency wallets believed to have been vulnerable to Pony theft are:



Online Wallet Checker

Since cryptocurrency addresses and wallets are anonymous, there is no way to contact the owners of affected wallets. Hence, Trustwave have created a webpage where you can enter your wallet’s public key to check whether it is in the list of compromised accounts: Trustwave Account Checker

Note to readers: Your public key is, by definition, public and revealing it does not compromise your wallet security. However, take care to NOT enter any private keys!

Pony was first identified in December, by McAfee, for using keystroke logging to steal “approximately 2 million passwords” from popular social media sites:


Using a system of compromised computers, hackers were able to capture login credentials for a variety of accounts from social networking sites such as Facebook, Twitter, and LinkedIn, email providers Google and Yahoo, and payroll provider ADP.


Botnet Inactive

The number of credentials quoted by McAfee is far greater than the figure of 700,000 now declared by Trustwave, who have also determined that the operators of the botnet ceased all activity in mid-January:

pony botnet activity
Trustwave determined that Pony botnet activity ceased in mid-January (image courtesy of Trustwave Spiderlabs)