Traffic mod loaded wallet-stealing DLL

The affected package was Traffic, a code mod for Cities: Skylines II distributed through Paradox Mods. Late on October 28, 2024, an outside actor pushed an unauthorized update that added fastmath.dll to the mod directory.

Paradox later determined that this was a DLL hijacking attack. When players launched the game with the affected mod installed, the game executable loaded the malicious DLL. The first stage then looked for Exodus wallet data under the user's local AppData directory.

Paradox removed the malicious file, worked with the mod author to secure the account, and said version 0.2.4 was safe as of October 31, 2024 at 15:35 CET. The company also scanned Paradox Mods for the same malicious file and added update notifications so creators could see unexpected changes sooner.

The distribution path matters because the mod was real and popular inside the game's official mod ecosystem. Players did not need to visit a phishing site; subscribing to or updating the trusted Traffic mod was enough to place the DLL where Cities: Skylines II would load it.

Motive

Cryptocurrency Theft

Cause

Compromised Account Credentials

Transitive

No

• Traffic Breach Statementparadoxinteractive.com
• Popular Cities Skylines 2 traffic mod may contain malicious file, Paradox warnspcgamesn.com
• Hacked Cities Skylines 2 mod may target players' crypto wallets, Paradox sayspcgamesn.com