116,000 Minecraft PCs got infected by fake mods. The 'WeedHack' stealer is free to anyone.

McAfee says a free malware operation called WeedHack has infected more than 116,000 Minecraft systems. It spreads through fake mods, cheats, and game clients, and it’s been running since January.

The total isn’t the scary part. The price is. WeedHack is a malware-as-a-service platform that hands out a working credential infostealer for free, on the open web, with tutorials. McAfee Labs counted 116,464 infected machines and says the campaign is still adding 2,000 to 3,000 a day, hitting players hardest in the United States, Germany, India, and the UK. If you’ve installed a sketchy mod to get a cheat client working, you’re in the blast radius.

What WeedHack actually steals

The free tier is already nasty. According to McAfee Labs, it lifts Minecraft session IDs (so an attacker can log into your account without your password), then sweeps saved passwords and cookies across 36 browsers, 56 cryptocurrency browser add-ons, and 12 desktop crypto wallet apps. It also grabs Discord, Steam, and Telegram credentials and quietly snaps screenshots. Lose the session token and someone can be in your account before you notice.

The paid tier is where it turns into full spyware. For $5 a month, or a $24.99 lifetime buy, customers get remote control of your mouse and keyboard, webcam access, a keylogger, a remote shell, and file management on your machine. That’s not account theft anymore. That’s somebody sitting at your computer.

What makes the operation spread so fast is the distribution. McAfee tracked more than 3,820 unique malicious JAR files across over 240 URLs, pushed mainly through YouTube videos with download links in the description, plus SEO poisoning that mimics real client names like Meteor, Radium, and Wurst. You search for a popular cheat client, click the top result, and download the trojanized version instead of the real one.

Teenagers are the buyers, and the victims

The part that sets WeedHack apart from a normal stealer racket is who’s running it. McAfee’s researchers found that the low cost and easy access pulled in a young crowd, and that those buyers weren’t only after money.

“One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free,” McAfee security researcher Aayush Tyagi wrote. “This difference in cost and ease of access with detailed tutorials on how to use the malware significantly reduces the barrier to entry for prospective customers.”

Most of those customers are teenagers stealing Minecraft accounts, McAfee says, and many used a Telegram channel of more than 800 members to post images and videos of themselves harassing the people they’d hacked. Because most of the victims appear to be minors, McAfee held back the evidence it pulled from that channel to protect them. The channel has since been taken down. The harassment angle is what reframes this from a gaming-security story into something closer to the credential-theft economy we covered in our VS Code token-leak piece and the stolen-API-key resale story: stolen logins are the product, and there’s always a marketplace.

What this means for you

If you play modded Minecraft, treat every JAR from outside an official source as hostile right now. Don’t download a mod or client from a YouTube description, a Discord drop, or whatever ranks first on Google. Pull mods only from the project’s real home (Modrinth, CurseForge, the developer’s own GitHub) or use the in-game Marketplace, and double-check the URL before you click. If you’ve installed anything questionable lately, assume it’s burned: change your Microsoft and Minecraft passwords, sign out of all sessions, reset Discord and Steam, and move any crypto out of wallets that touched the machine before running a full malware scan. And if there’s a kid in your house running cheat clients, this is the week to have the talk. The same store that sold them a free hack is selling a webcam feed of their bedroom. That’s the trade WeedHack is actually offering, and it’s worth covering before the next 116,000 land. For the platform’s own stance on this kind of community-rules fight, see Panic’s ban on a different gaming threat.