The CryptoShuffler Trojan is siphoning funds from cryptocurrency wallets, targeting a wide range of the most popular cryptocurrencies, including Bitcoin, Ethereum, Zcash, Dash, Monero and others.
Uncovered by Kaspersky Lab, the bad code steals cryptocurrencies from a wallet by replacing the user’s legitimate address with its own in the device’s clipboard. To date, criminals have already succeeded in lucratively attacking Bitcoin wallets, stealing equivalent to almost $140,000. The total amounts stolen from other wallets range from a few dollars to several thousands.
“Clipboard hijacking attacks like this have been previously seen in the wild, targeting online payment systems; however, experts believe cases involving a cryptocurrency host address are currently rare,” researchers said.
CryptoShuffler’s mechanism is simple yet effective, capitalizing on the common transaction process used by most cryptocurrency users: They copy a recipient’s walled ID number and paste it into the “destination address” line in the software they are using to make their transaction. The trojan simply monitors the infected device’s clipboard, and replaces the user's wallet address with one owned by the malware creator. Therefore, when the user pastes the wallet ID to the destination address line, it is already not the address they originally intended to send money to, and as a result, the victim transfers their money directly to criminals.
“CryptoShuffler’s ability to replace a destination literally takes milliseconds because it’s so simple to search for wallet addresses—the majority of cryptocurrency wallet addresses have the same beginning and certain number of characters,” Kaspersky said. “Therefore, intruders can easily create regular codes to replace them.”
To keep crypto savings safe, users should pay close attention during transactions, and always check the wallet number listed in the destination address line against the one they are intending to send coins to. Users should also be aware that there is a difference between an invalid address and an incorrect address: In the first case, the error will be detected and the transaction won't be completed; in the latter, there’s no alert.
“Cryptocurrency is not tomorrow's technology anymore. It is becoming part of our daily lives, actively spreading around the world, becoming more available for users, and a more appealing target for criminals,” said Sergey Yunakovsky, malware analyst at Kaspersky Lab. “Lately, we’ve observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue. So, users considering cryptocurrency investments should think about protecting their investments carefully.”