Wednesday, May 18

Be careful: this family of malware can steal your bitcoins this year

A family of viruses is on the prowl. Some are capable of taking data and stealing your bitcoins (BTC). Others deliberately use your computing power to mine cryptocurrencies and profit from you. The alarming thing is that they are the current trend among cybercriminals and are emerging as the hacking methods that will be used the most in 2022.

Blockchain analytics firm Chainalysis was commissioned to study the phenomenon and established four types of malware that are commonly used by cybercriminals to attack their victims, some of them have been widely reported and are already known.

These are the Information Thieves, clippers, cryptojackers and the famous Trojans. These four viruses have generated losses of significant sums of money. They all use various methods of affecting people, which seem to be the new clear target of hackers.


Although the theft of cryptocurrencies is usually associated with large attacks on companies, such as bitcoin exchanges or ransomware attacks against structures, Chainalysis has observed a change in the behavior of criminals in recent years: they now use malware to steal smaller amounts of cryptocurrency from individual users.

Sold on the darknet

According to the firm, many of these “malware strains” are sold on the darknet (dark web) at relatively low prices, “making it even easier for less sophisticated hackers to deploy them against victims.”

The four types of viruses that criminals will use the most in 2022 to steal bitcoins from small investors / Source: Chainalysis.

In fact, and according to the company’s research, a membership to Redline, which is an information-stealing malware, is priced at USD 150 per month, with lifetime access for up to USD 800. This according to an offer on a cybercrime blog in Russia.


It also offers access to Spectrum Crypt Service, which is a tool based on the Telegram social network, where criminals can link Redline, so that it is more difficult to detect by antivirus

The proliferation of cheap access to malware families like Redline means that even relatively unskilled cybercriminals can use them to steal cryptocurrency. Law enforcement and compliance teams need to keep this in mind and understand that the malware attacks they investigate are not necessarily carried out by the administrators of the malware family themselves, but are often carried out by smaller groups. that rent access to the malware family, similar to ransomware affiliates.

Chainalysis, blockchain analysis firm.

Almost half a million dollars in stolen bitcoins

Chainalysis provided details of the amounts that have been stolen by hackers using this family of malware. Just to mention a few, Cryptbot, which is an info-stealing virus taking the victim’s wallet and keys, raised $500,000 worth of bitcoins.

Another was the case of QuilClipper, a clipper-type virus or clipboard thief. The way this malware works is interesting: they insert a new piece of text into a device’s clipboard, which takes the place of the type previously copied by a user and will be pasted elsewhere.

Number of victim transfers to cryptocurrency addresses associated with a sample of malware families in the information stealer and clipper categories / Source: Chainalysis.

In this case, the virus detects when the user copies a wallet address to which to send funds, then replaces the copied text with the hacker’s address, and the victim ends up depositing bitcoins to a hacker without realizing it. The criminal will have hijacked the transaction “effectively”.

Cryptojackers, meanwhile, are more technical and malicious. They use the victim’s computing power to mine cryptocurrencies, typically from the Monero blockchain. There are cases also in Zcash and Ethereum.

But there is no more information about these. Because amounts move from the mempool to unknown mining addresses, it is very difficult to passively collect data on activity.

However, Chainalysis notes that in 2020, Cisco’s cloud security division reported that cryptojacking malware affected 69% of its customers.

Total percentage received by each malware family / Source: Chainalysis.

This was a large amount of stolen computing power, in addition to a significant number of illegally mined cryptocurrencies. There is talk of up to $100 million in revenue, calculating that 5% of the current Monero in circulation was mined by cryptojackers, according to the 2018 Palo Alto Networks report, cited by Chainalysis.

DeFi protocols, the final destination of stolen funds

Chainalysis also studied the fate of funds that are stolen by hackers. In detail, it is known that cryptocurrency exchanges received only 54% of the coins sent from malware addresses during 2021. It is about 38% less than the previous year, when the figure closed at 75%.

However, there was an increase in the use of DeFi protocols, such as decentralized exchanges, as the final destination of the funds extracted from the victims. 20% of the shipments were executed to a decentralized terminal.

DeFi protocols and centralized exchanges were the most common destinations for stolen funds in 2021. / Source: Chainalysis.

Additionally, illegal services unrelated to malware, such as with a majority presence on the darknet, “They are also a major money laundering avenue for virus operators, receiving approximately 15% of all funds sent from malware addresses in 2021.”

Users: be more careful

Chainalysis clarifies that one way to avoid falling into traps is to be more careful, especially when it comes to clippers, which are usually aimed at to common cryptocurrency users.

It is extremely difficult to tell if one has been clippered until a transaction has been hijacked given how long and complex cryptocurrency addresses are: most people don’t read the recipient’s full address between pasting it into their wallet and sending a transaction. However, that may be necessary for users trying to be as careful as possible. At the very least, cryptocurrency users should be vigilant about the links they click and the programs they download, as there are several strains of malware active, not just clippers, but others as well, trying to steal your funds.

Chainalysis, blockchain analysis firm.

In the end, the company reflects, cybercriminals remain the same, but they are adapting to new methods of fraud, with which they can take advantage of victims in an easier and imperceptible way. For that, they say cybersecurity teams need “new equipment in their toolbox.”