The trojanlies in wait for victims to copy a crypto wallet address into the system clipboard, whereupon it pounces …

Cybercriminals have been using a new crypto theft campaign using a trojanized version of the Tor browser to affect more than 15,000 users across 52 countries involving an estimated US$400,000 in losses this year.

Victims are first enticed to download a trojanized version of the browser (compressed into a RAR archive with password protection to foil malware scanners). Once the browser is installed, it registers itself in the system’s auto-start process and employ a shortcut of a popular application, such as uTorrent.

Once a user of this ‘clipper malware’ copies a wallet address in the system clipboard, it replaces the address with the cybercriminal’s own wallet address. While this technique has been around for more than a decade and was originally used by banking trojans to replace bank account numbers, this new type of malware is now actively targeting crypto owners and traders.

So far, more than 15,000 attacks involving this clipboard injector malware targeting cryptocurrencies have been detected in Kaspersky’s customer base. The attacks have spread to at least 52 countries worldwide, with the majority of detections in Russia due to users downloading the infected Tor Browser from third-party websites because this browser is officially blocked there. Other countries affected include the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom, and France, which means the actual number of infections may be much higher.

Similarly, the actual amount of crypto stolen could be much greater, as this research focuses only on affected Tor Browser users: other campaigns may be using different software and malware delivery methods, as well as other types of wallets.

According to the firm’s spokesperson, Vitaly Kamluk: “Despite the attack’s fundamental simplicity, it poses a greater danger than it seems. Not only does it create irreversible money transfers, but it is also passive and hard for a regular user to detect. Most malware requires a communication channel between the malware operator and the victim’s system. On the contrary, clipboard injectors can remain silent for years, with no network activity or other signs of presence until the day they replace a crypto wallet address.”