Using a technique called crypto clipping, the Phorpiex variant substitutes wallet addresses during a transaction.

A botnet known for sextortion and crypto-jacking has now been tweaked to steal cryptocurrency as well.

A new variant of Phorpiex, called Twizt, has been observed to operate without active command and control servers, meaning each computer that it infects can widen the botnet.

According to Check Point Research (CPR), Twizt has already appropriated nearly half a million dollars’ worth of cryptocurrency. New features in the variant have led researchers to believe that the botnet may become even more stable and, therefore, more dangerous.

How Twizt works

The variant leverages a technique called “crypto clipping” to steal cryptocurrency by automatically substituting the intended wallet address with the threat actor’s wallet address. The result is that funds go into the wrong hands.

In a one-year period between November 2020 and November 2021, Phorpiex bots had hijacked 969 transactions, stealing 3.64 Bitcoin, 55.87 Ether, and US$55,000 in ERC20 tokens. The value of the stolen assets in current prices is almost half a million US dollars.

Several times, Phorpiex was able to hijack transactions involving large amounts of funds, with the largest being 26 ETH in one intercepted Ethereum transaction.

According to CPR’s Cyber Security Research & Innovation Manager, Alexander Chailytko, there are three main risks involved with the new variant of Phorpiex.

  1. First, Twizt uses a peer-to-peer model and is able to receive commands and updates from thousands of other infected machines. A peer-to-peer botnet is harder to take down and disrupt its operation. This makes Twizt more stable than previous versions of Phorpiex bots.
  2. Second, as well as old versions of Phorpiex, Twizt is able to steal crypto without any communication with C&C. Therefore, it is easier to evade security mechanisms such as firewalls in order to do damage.
  3. Third, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero. This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected.

“I strongly urge all cryptocurrency users to double check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands,” said Chailytko.

Security tips

Users are reminded that, when copying and pasting a crypto wallet address, always double check that the original and pasted addresses match. Before sending large amounts in crypto, first send a probe ‘test’ transaction with minimal amount.

Additionally, keep your operating system updated, do not download software from unverified sources. Finally, scammers using Google Ads to link to phishing sites to steal crypto wallets. When using search engines to shop for crypto trading and swapping platforms, always avoid the ad links and check only the real search results. Look at the linked URLs and double-check if they lead to legitimate websites. If in doubt, you can always skip the links and visit the official websites of the firms you are researching.