Symantec has seized on an alleged scam in which supporters of the Anonymous hacktivists may have been "tricked" into infecting their own machines with the Zeus trojan.
The security firm said it had tracked a change in a pastebin entry that instructed internet users on how to participate in a denial-of-service attack in the wake of the Megaupload raids.
A download link to the denial-of-service tool was replaced with a "trojanised" version that stole usernames, passwords, banking credentials and cookies, Symantec said.
"Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen," the firm said.
"The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world."
Symantec did not release any data on apparent rates of infection, but noted the guide that features the malware-embedded link had been retweeted several hundred times in response to various causes taken up by Anonymous.