WeedHack Minecraft Malware: How Fake Mods Steal Gaming Accounts, Passwords and Crypto
On June 2, 2026, McAfee's research team published findings on a malware operation called WeedHack that has infected 116,464 systems since January — almost all of them belonging to people looking for free Minecraft cheats, clients, and mods. That is not a rounding-error number. It works out to between 2,000 and 3,000 fresh infections every single day, and the victims are concentrated in the United States, Germany, India, and the United Kingdom.
I have spent 11+ years building software that touches real money — POS systems, a digital pawnshop platform, hotel booking back-ends — and the single most common way an attacker gets a foothold is not some exotic zero-day. It is a person voluntarily running a file they should not have run. WeedHack is that pattern at industrial scale, and because the targets are often kids and teenagers playing on a shared family computer, the blast radius reaches the parent's saved banking passwords too. Let me walk through exactly how this works and what to actually do about it.
What WeedHack is, in plain terms
WeedHack is a malware-as-a-service (MaaS) infostealer. That business model matters. The people who write the malware do not personally attack you — they rent the tool out to subscribers who run their own campaigns and watch the stolen data roll into a shared dashboard. McAfee documented a free tier plus paid upgrades: $5/month for premium, or a $24.99 one-time lifetime purchase. For the price of a couple of fast-food meals, a low-skill attacker gets a turnkey credential-theft machine.
The free tier already steals a frightening amount:
- Your Minecraft session ID (so the attacker logs in as you without needing your password)
- Cookies and saved passwords across 36 browsers
- Credentials from 56 cryptocurrency browser extensions and 12 desktop crypto wallet apps
- Discord, Steam, and Telegram credentials
- On-demand screenshots of your desktop
The premium tier adds full remote control: live mouse and keyboard input, webcam access, a keylogger, a remote shell, and remote file management. At that point the attacker is not stealing data — they are sitting at your computer.
How it reaches the victim
WeedHack does not break in. It is invited in, through three channels that McAfee mapped across 240+ distribution URLs and 3,820 unique malicious JAR files:
1. YouTube tutorials
Videos that demo a "free" Minecraft client or cheat, with the download link sitting in the description or pinned comment. Some of these videos had picked up 7,500+ views before takedown — meaning thousands of viewers were funneled toward a single poisoned link.
2. SEO poisoning
The operators specifically targeted searches for well-known Minecraft utility names — Meteor, Radium, Wurst, Future, and Impact among them. Search for the real tool, and a fake look-alike site ranks high enough to catch the impatient clicker. In my experience, this is the most dangerous vector precisely because it intercepts people who already know the name of the legitimate thing they want.
3. Fake project websites
Cloned or invented sites that impersonate a legitimate mod project, complete with screenshots and a confident "Download" button.
The payload is delivered as a JAR file (a Java archive — the normal, legitimate format Minecraft mods use). That is what makes this campaign effective: the file type looks exactly right. A parent glancing over a kid's shoulder sees a .jar download for a Minecraft mod and assumes it is fine, because legitimate mods genuinely are .jar files.
This is not just a Minecraft problem
WeedHack is the loud headline, but it sits inside a much larger trend. In February 2026, researchers documented the Powercat campaign, which disguised itself as "Xeno loader," a Roblox script executor, and pushed an infostealer at players of Roblox, Minecraft, GTA V, Discord, and Telegram. Industry analysis now estimates that over 40% of infostealer infections originate from gaming-related files — cheats, mods, cracked games, and so-called "performance boosters."
Stolen Roblox accounts are even triaged automatically: the malware queries each account for its MFA status, in-game currency balance, premium subscription, payment information, and inventory value, then resells the account based on what is inside. Your 13-year-old's Roblox inventory has a market price, and these operations know it to the cent.
Why a kid's game account is a household security problem
Here is the part parents underestimate. The malware does not stay in the game's sandbox. The free tier alone harvests saved passwords from 36 browsers. If anyone in the house ever clicked "save password" on a banking site, an email account, or a work login in the same browser profile — that credential is now in the attacker's dashboard.
When I set up credential handling for client projects, the rule we enforce is simple: production secrets never live in the same place as casual browsing. The home equivalent is that a gaming machine and a banking machine should not share a browser profile. Across the Smart POS and digital pawnshop systems I have shipped, the breaches that scared me most were never the application-layer ones — they were the cases where one stolen browser session quietly unlocked five other services because everything was logged in everywhere. A shared family PC is exactly that risk, just at home.
How to actually protect your household
Only install mods from CurseForge or Modrinth
These are the two verified community platforms for Minecraft mods. ESET's guidance is blunt: download mods exclusively from trusted platforms like CurseForge and Modrinth, and steer clear of random file hosts, forums, Discord links, and especially YouTube descriptions. The official Minecraft Marketplace is another safe source.
Know the legitimate file types
Real Minecraft mods are .jar files or compressed archives (.zip, .rar). If a "mod" download is an .exe or .bat, or it asks for administrator privileges, that is a red flag — mods almost never need admin rights. Stop there.
Check the developer's track record
Established mod authors have visible history and community reviews. An anonymous author with zero reviews is a reason to walk away. Read the comments — players are quick to flag a mod that turned out to be malicious.
Scan before you run
Upload any questionable file to VirusTotal before opening it. For anything genuinely uncertain, open it in a sandbox or virtual machine rather than on your main system. This costs two minutes and saves a weekend of cleanup.
Separate gaming from money
If at all possible, do not let the family gaming PC be the same machine — or at least the same browser profile — where adults log into banking, email, and work. Use a separate browser profile or a standard (non-administrator) Windows account for gaming. This single boundary blunts most of the damage even if a stealer does run.
Turn on MFA everywhere that holds value
Multi-factor authentication will not stop a session-cookie theft on its own, but it does block the attacker from logging in fresh on their own device, and it buys you time. Enable it on the Microsoft/Xbox account behind Minecraft, on email, and on anything financial. The U.S. CISA Secure Our World program lists MFA as one of its four core habits for a reason.
If you think a device is already infected
Move quickly — an infostealer's value decays the moment you start changing passwords, so do it in this order:
- Disconnect the machine from the internet to cut off any live remote-control session.
- Delete the suspicious mod and run a full scan with reputable anti-malware software.
- Reinstall Minecraft only from the official minecraft.net.
- Change every important password — and do it from a different, clean device, because the infected one may still be logging your keystrokes. Start with email, then banking, then game and Discord accounts.
- Enable two-factor authentication on each account as you reset it, which also force-logs-out the stolen sessions.
- Review financial and crypto accounts for unauthorized activity, since wallets and saved payment data are explicit WeedHack targets.
For a structured walk-through of cleaning up after credential theft, the CISA guidance on malicious code and FTC consumer protection resources are both worth bookmarking.
The honest takeaway
I would not lecture anyone for wanting mods — modding is most of what makes Minecraft great, and the legitimate ecosystem on CurseForge and Modrinth is enormous and safe. The problem is never the desire for a mod. It is the shortcut: the YouTube link, the search result that looks close enough, the "free" version of a paid cheat. WeedHack is profitable specifically because impatience is universal and a poisoned .jar looks identical to a clean one.
If you take one thing from this: a Minecraft mod that comes from anywhere other than CurseForge, Modrinth, or the official Marketplace is not worth the risk to your family's passwords and bank logins. Two clicks to the right source beats two weeks of damage control. In every production system I have shipped, the cheapest security control was always the boring one applied before the incident — and at home, that control is simply where you download from.
Sources: McAfee Labs (WeedHack campaign analysis, June 2026); BleepingComputer; ThreatLocker (Powercat campaign, February 2026); ESET WeLiveSecurity (Minecraft mod safety); Bitdefender Labs; CISA Secure Our World; U.S. FTC Consumer Advice. This article is provided for educational purposes and does not constitute professional security consulting for any specific environment.
Found this helpful?
Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.
