TechDeveloping

Mod reviewed

Minecraft mod malware infected 116,000 players since January, sold for $5 on Discordminecraft mod malware hit 116K players and you could buy it for $5 in a discord server

Q: McAfee researchers named the operation WeedHack and published findings on June 2, 2026.

Status: sourced. Sources under review.

Q: The malware infected 116,464 Minecraft players since January 2026.

Status: sourced. Sources under review.

Q: Infection rate averaged 2,000 to 3,000 new victims per day.

Status: sourced. Sources under review.

Q: The toolkit was sold for as little as $5 via Discord.

Status: sourced. Sources under review.

Q: It targeted Minecraft clients Meteor, LiquidBounce, and Wurst.

Status: sourced. Sources under review.

Q: The command server used the Ethereum blockchain to resist takedowns.

Status: sourced. Sources under review.

Q: The malware disabled Windows Defender and gained webcam access.

Status: sourced. Sources under review.

Q: Whether Discord has taken action against WeedHack-related accounts and servers.

Status: developing. Sources under review.

Q: Whether affected Minecraft clients have issued advisories to their user bases.

Status: developing. Sources under review.

Q: The exact number of active operators running WeedHack.

Status: sketchy. Sources under review.

by The DeskMachine-generated · Human-vettedPublished 0m ago1 min read

Receipts · developing

1 linked receipt from Dexerto. Read these before sharing.

01What happened

The story, straight

A malware-as-a-service operation dubbed WeedHack by McAfee researchers infected 116,464 Minecraft players between January and June 2026, gaining webcam access and stealing data. The operation ran at 2,000 to 3,000 new victims per day and was sold for as little as $5, compared to the $250-to-$500 monthly cost of comparable dark-web toolkits. It spread through fake YouTube tutorials and SEO-poisoned download sites targeting popular Minecraft clients including Meteor, LiquidBounce, and Wurst. Once installed, the malware connected to a command server hidden inside the Ethereum blockchain to resist takedowns, disabled Windows Defender, and embedded itself silently. McAfee published its findings on June 2.

McAfee researchers found a malware operation called WeedHack that hit 116,464 minecraft players since january, running 2,000 to 3,000 new infections a day. it sold for $5 through a discord server — no dark web needed, no $250-a-month subscription. it spread through fake youtube tutorials and SEO-gamed download sites targeting popular mod clients like meteor, liquidbounce, and wurst. once on your machine it killed windows defender, hid its command server inside the ethereum blockchain, and quietly watched through webcams. the whole thing had a free tier, a leaderboard, and a suggestion box. mcafee went public with the research on june 2.

02Spread timeline

Where it actually started

January 2026Origin

WeedHack malware operation begins spreading through fake Minecraft mod tutorials and SEO-poisoned download sites.WeedHack starts running, spreading through fake youtube mod tutorials and shady download sites.

source

January–June 2026

Operation scales to 2,000–3,000 daily infections, reaching 116,464 total victims. Command server hides inside Ethereum blockchain.infections hit 2K–3K a day, totaling 116,464. command server hides on ethereum to dodge takedowns.

source

June 2, 2026

McAfee researchers publish findings, naming the operation WeedHack and disclosing infection scale.mcafee goes public with the research, names it weedhack, drops the 116K number.

source

03Source receipts

Every claim, linked

Dexerto

Full report on McAfee's WeedHack findings: 116,464 infections since January 2026, $5 price point, Discord distribution, Ethereum blockchain C2, targeting Minecraft clients Meteor, LiquidBounce, and Wurst.

primaryrssreceipt

04Claim-level check

Claims, status, and receipts

ClaimStatusReceiptsAction

McAfee researchers named the operation WeedHack and published findings on June 2, 2026.sourcedStory receiptsSuggest fix

The malware infected 116,464 Minecraft players since January 2026.sourcedStory receiptsSuggest fix

Infection rate averaged 2,000 to 3,000 new victims per day.sourcedStory receiptsSuggest fix

The toolkit was sold for as little as $5 via Discord.sourcedStory receiptsSuggest fix

It targeted Minecraft clients Meteor, LiquidBounce, and Wurst.sourcedStory receiptsSuggest fix

The command server used the Ethereum blockchain to resist takedowns.sourcedStory receiptsSuggest fix

The malware disabled Windows Defender and gained webcam access.sourcedStory receiptsSuggest fix

Whether Discord has taken action against WeedHack-related accounts and servers.developingStory receiptsSuggest fix

Whether affected Minecraft clients have issued advisories to their user bases.developingStory receiptsSuggest fix

The exact number of active operators running WeedHack.sketchyStory receiptsSuggest fix

Whether any victims have been identified or notified.sketchyStory receiptsSuggest fix

How this was made

Written byThe Desk (DeepSeek)

Reviewed byAutonomous reviewer

Confidencedeveloping

Sources1 distinct source

Vetted by0 readers (0% sourced)

Fills a coverage gap in underrepresented tech category (4%) with specific, checkable cybersec claims (infection numbers, pricing, blockchain C2) sourced from McAfee research via Dexerto; the $5 Discord storefront detail and Ethereum C2 technique add genuine internet-culture novelty beyond generic malware recaps.

05Why it matters

The editorial take

The WeedHack operation exposes a rapidly maturing malware-as-a-service economy built around gaming communities, where low price points and Discord distribution dramatically lower the barrier to entry for would-be attackers. Minecraft's younger player base makes webcam access especially concerning, and the use of Ethereum blockchain infrastructure to resist takedowns signals an evolving cat-and-mouse game between malware developers and security researchers. This is the latest in a pattern of fake-mod campaigns targeting Minecraft's enormous modding ecosystem.

a $5 malware toolkit with a discord storefront and a leaderboard. the barrier to entry for mass surveillance just cratered. minecraft skews young — 116K kids with compromised webcams is not a hypothetical. the ethereum blockchain trick for dodging takedowns is new and it'll show up in the next one too. mod malware campaigns targeting minecraft aren't slowing down.

Reader confidencecap check

Tap your read — readers grade the story, not the vibe.tap your read. we grade the story not the vibe.

0votes

No votes yet — be the first to check this story

FixCommunity correctionSuggest a sourced correctionSend a structured fix to moderator review.

Public story text does not change until an admin approves it.

Be specificPoint to the headline, claim, timeline, or receipt that needs work.

Bring evidenceInclude the best source URL you have, even if it only adds context.

Expect reviewModerators approve, reject, or request better sourcing before changes go live.

About trust & governance on Looped

The desk drafted this. Readers check it. Moderators approve corrections.Checks prioritize review; approved changes create version history.

ReviewLast reviewed by moderator

CorrectionsNo approved community corrections yet

Receipts1 attached

Versionv1

LiveLiving story

Every approved fix becomes part of the record.

Looped stories are not disposable posts: receipts, claims, reader checks, and moderator decisions can change the approved version over time.

Current versionv1

Sourced claims7

Open disputes0

Latest trust eventmoderator reviewed

Desk draft createdFirst structured version
Receipts attached1 linked source
Moderator reviewedCurrent version approved for readers
Current trust eventmoderator reviewed

ModAccountability trail

Community input goes through a visible approval path.

StatusApproved by moderator

Trust eventmoderator reviewed

Approved fixes0

Trust labels should come from receipts, claim status, and moderator approval — not from heat alone.Reader votes can force closer review, but the public confidence label should move only when the evidence and approved story state move with it.

If this story changes, readers should be able to see what changed and why.Big edits should resolve into version history, updated trust state, and visible evidence — not a silent rewrite.

Readers should not have to guess whether a story quietly changed.When major framing, claims, or receipts move, the version history should explain it and the trust state should reflect it.

Standard and Native change the voice, not the facts.The wording can shift for readability or internet tone, but receipts, claims, and moderator-approved story state stay the same.

These stories should stay understandable even if you do not already speak the internet's native dialect.Voice can flex between Standard and Native, but the product should keep receipts, claims, and cultural context legible either way.