🧱 Exodus Wallet Stealer - Proof of Concept

Disclaimer: This project is intended for educational and research purposes only. Do not use this code or method to compromise any system without explicit permission. Unauthorized use is illegal.

Note: This is only a Proof of Concept. The code quality is quite poor and not production-ready. It is meant to demonstrate a concept, not to be used as a finished tool.

📦 Overview

This PoC demonstrates how an attacker could manipulate the Exodus Wallet (a popular Electron-based cryptocurrency wallet) on Windows by unpacking and modifying its internal Electron application to:

• Extract the mnemonic phrase and optional passphrase
• Hook user input during wallet unlock
• Exfiltrate data to an external server or messaging service (e.g. Telegram)

🛠️ Technical Summary

1. Locate and unpack the app.asar archive from the Exodus installation directory (typically: C:\Users\<User>\AppData\Local\exodus\app-<version>\resources\app.asar).
2. Extract the ASAR archive using tools like npx asar extract app.asar ./app_unpacked.
3. Modify internal logic to:
   • Hook the Electron frontend input handling where the passphrase and mnemonic are entered.
   • Inject custom JavaScript methods to capture and export those values.
4. Edit main/index.js (Electron's main process file) to:
   • Set up a data exfiltration routine (e.g., via HTTP POST to external server or Telegram Bot API).
   • Ensure persistence or stealth if needed (optional for PoC).
5. Repack the modified source into a new app.asar using npx asar pack ./app_unpacked ./app.asar.
6. Replace the original app.asar in the Exodus install folder with the malicious one.
7. Launch Exodus — the application will function normally, but sensitive data will now be intercepted and exfiltrated silently.

🚨 Exfiltration Methods

The PoC supports multiple exfiltration vectors:

• Telegram Bot: Send mnemonic/passphrase to a chat via Bot API
• Remote HTTP Server: POST sensitive data to a controlled endpoint
• Custom WebSocket or Cloud Services (optional)

⚙️ Telegram Bot Configuration

To enable Telegram exfiltration, you must update the bot credentials in the following file:

app_unpacked\src\app\main\index.js

• Line 20: Replace with your Telegram chat ID.
• Line 21: Replace with your Telegram Bot token (created via @BotFather).

Example:

const TELEGRAM_CHAT_ID = 'YOUR_CHAT_ID_HERE';      // Line 20
const TELEGRAM_BOT_TOKEN = 'YOUR_BOT_TOKEN_HERE';  // Line 21

💡 Notes

• This works because Exodus is built with Electron and Node.js, where app logic is stored in an easily modifiable ASAR archive.
• No privilege escalation is needed if the user runs the wallet with default permissions.
• The wallet UI continues to function normally, making the attack stealthy.

⚠️ Legal Notice

This repository is strictly for cybersecurity research, reverse engineering education, and red team simulation.
Do NOT use this PoC to target or compromise real users or systems without full consent.

---

🔧 Requirements

• Node.js & NPM (for ASAR tooling)
• asar: npm install -g asar
• Basic knowledge of Electron and JavaScript

✅ PoC Status

• ✅ Extraction of passphrase
• ⏳ Extraction of mnemonic phrase
• ✅ Custom exfiltration logic injection
• ✅ Works on default Exodus installations (Windows)

👁️‍🗨️ Ethical Reminder

Engaging in unauthorized access or data theft is a criminal offense in most jurisdictions.
Always use offensive security knowledge responsibly.