An Infostealer Malware Incident and the Tracing Challenges Linked to Unidentified Services

Note: the donation address 67RePoP2ygScWLjC95MZAR1rByp3fezv7zPfbgCekxyi is compromised as we will outline in this article. Please do not send any further payments to this address.

Our investigations team has traced the laundering of cryptocurrency stolen from a creator whose funds (over $32,000 intended for cancer treatment) were drained via infostealer malware. The proceeds were funneled through a single exchange that many investigative teams would not be able to identify.

This relates to this incident reported by the victim here - https://x.com/rastalandTV/status/1969629808788181258

Background

In February 2025 Latvian streamer Raivo Plavenieks aka Rastaland (@rastalandTV) posted on X asking for help raising funds for cancer treatment after disclosing he had been diagnosed with stage-3 high grade sarcoma. In his post, dated 17 February, Rastaland listed three cryptocurrency addresses for donations, including SOL address 67RePoP2ygScWLjC95MZAR1rByp3fezv7zPfbgCekxyi. 

On 19 September 2025, Rastaland created the $CANCER coin on pump.fun, in a bid to raise further funds for his treatment. Pump.fun provides a user-friendly platform where tokens can be created and traded without the need for technical knowledge and at a low cost to the user. 

After creating the coin, Rastaland set about building his social media community (https://x.com/i/communities/1969116669097500773) to promote the coin via his live streams. 

Little more than 24 hours after the $CANCER coin was created, Rastaland was invited by a viewer of his live stream to download a game on Steam. This download transpired to contain infostealer malware, resulting in almost $32,000 USD in donated Solana being drained from his wallet 67RePoP2. Rastaland then took to X to inform his followers of the theft. 

An infostealer is a type of malware designed to quietly collect sensitive information from an infected device and is often delivered via phishing emails and malicious downloads. Infostealers are a significant threat to cryptocurrency owners as they are designed to target digital assets, providing unauthorized access to private keys and/or sensitive credentials. 

zeroShadow's Investigation

Since the theft, like many in the crypto community, zeroShadow investigators began on-chain investigations to follow the stolen funds. 

Our investigations team has traced the laundering of cryptocurrency stolen from Rastaland and have identified the transaction flows, wallet clusters, and exchange interaction that can support law-enforcement action.

Stolen funds were all received at 

B7tftk7yrEvrEga32KQR7eXCkSUMs4ijDxbQmwUMaW6j 

and within hours had been split across two addresses, 

ACykwSQnAWE8DD69M8UNrRuBLi1LgtAT7tdHKYJFDTVe

4NDQswotkwzRonHTYAmw43JwXeGUpjtxLAS9uT5GHdUK

Both of which initially appeared to be single use accounts, with funds consolidating a short time later at C4gv7Ba5SYDnpFF9pyaN1Tf8sVTczLDicgVwZwzxqkcX. However, based on the observed behaviour and experience of investigators at zeroShadow, we were able to identify and confirm that the deposits above relate to an exchange, rather than to an individual user. This is shown in the Chainalysis Reactor graph below.

Based on initial observations, the addresses listed above were not immediately identifiable as exchange deposits, possibly leading investigators to trace through the service and inadvertently follow funds no longer linked to the theft. 

Tracing through unclustered services can be a common pitfall for investigators and identifying services at the earliest opportunity avoids some common pitfalls, such as: 

• Inaccurate tracing due to funds being co-mingled at exchanges and other services. 

• Failure to identify change in ownership of funds. 

• Can lead to delays in tracing and therefore missed opportunities for freezing of funds. 

We will provide our full findings, including transaction data and timelines, free of charge to verified law-enforcement agencies. For secure access, please contact us from an official address.

Original article by the zeroShadow team