CryptoShuffler Malware Replaces Wallet Addresses Copied to Clipboards, Nets $170,000

Kaspersky Labs recently published a blog post in which it notes that it detected an active campaign from one of the most successful malware families in the cryptocurrency industry: CryptoShuffler. Essentially, what it does is sit idly on users’ computers while watching their clipboard. Once a cryptocurrency wallet is copied onto it, CryptoShuffler replaces it with the attackers’ address.

If users don’t pay attention to address they paste before making transactions in various cryptocurrencies, including Bitcoin, Monero, Zcash, Litecoin, and others, they may be sending money to CryptoShuffler’s admins.

Bleeping Computer notes that malware has been active since at least 2016 and that its Bitcoin wallet reached its peak later in that year, although a new campaign has recently been launched. Sergey Yunakovsky, the author of Kaspersky’s blog post, complimented the malware, stating:

“The malware described is a perfect example of a ‘rational’ gain. (…)The scheme of its operation is simple and effective: no access to pools, no network interaction, and no suspicious processor load.”

CryptoShuffler’s Bitcoin wallet records show the cybercriminals behind it netted 23.24 BTC, worth about $170,000 at press time, taking into account one Bitcoin is currently worth $7,145.39 according to data from Cryptocompare. Considering it affects other cryptocurrencies as well, the figure could be much higher.

As Kaspersky Labs notes, most cryptocurrency-related malware wallets have relatively small amounts in them, often $50-$100. CryptoShuffler’s simplicity and incredible Return on Investment (ROI) make it one of the most successful ones out there.

As reported by Core Media, the cryptocurrency ecosystem’s value surge this year has attracted various schemes. So much so that some are trying to use people’s mobile devices to mine cryptocurrencies, despite low profits.

A recent mining trend, partly triggered by The Pirate Bay’s Monero mining experiment, has even led a hacker to compromise CBS-owned Showtime websites and add Monero mining code to them. It ultimately forced Cloudflare to crack down on websites using it without user permission. One of the organizations providing Monero-mining code, Coinhive, was recently hijacked by hackers who when redirected mined cryptocurrency to a wallet they owned.

Another move cybercriminals are seemingly going with are fake cryptocurrency exchange apps. Recently, two fake Poloniex apps were removed from Google Play, while a third one may still be out there.