Hackers Stole Over $150,000 From Zcash, Ethereum, and Bitcoin Wallets

Hackers Stole Over $150,000 From Zcash, Ethereum, and Bitcoin Wallets

An anonymous group of hackers has begun to target Bitcoin, ZCash, Ethereum, and Monero wallets with malware known as CryptoShuffler, successfully stealing $150,000 from user wallets within the past few months.

CryptoShuffler is a type of malware which infects computers and mobile phones through phishing attacks in the form of emails, attachments, and messages. Once CryptoShuffler penetrates a system, it idly operates behind the scenes, waiting to detect a cryptocurrency wallet address on the clipboard. Once the user copies and pastes a cryptocurrency wallet address, for instance a bitcoin address, the CryptoShuffler malware automatically alters the bitcoin address on the clipboard to the wallet address of CryptoShuffler.

For the victims, it is difficult to spot the sudden alteration in the address because the CryptoShuffler malware has tens of thousands of addresses in its system. Using its algorithm, it chooses the address from its pool that is the most similar to the victim’s address, and replaces the victim’s address with one of its addresses, rerouting the funds to the hacking group’s cryptocurrency wallets.

“This Trojan clearly demonstrates that an infected computer or smartphone will not necessarily slow down or display ransom messages. On the contrary, many kinds of malware try to keep a low profile and to operate as stealthily as possible; the longer they remain undetected, the more money they will make for their creators,”said the Kaspersky Lab team.

It is also challenging to detect and remove the CryptoShuffler malware or any type of cryptocurrency-targeting malware of its kind because they operate idly within the operating system. In most cases, even a full format or factory reset will not remove the malware. A clean wipe out of the hard drives is necessary.

While it is hard to spot and eliminate the malware once it penetrates an operating system, it is not difficult to prevent any type of cryptocurrency wallet-targeting malware of entering the system. Usually, these types of malware can only be installed into devices through external phishing attacks and downloads of attachments, files, and images. Hence, in addition to enabling antivirus software, it is important to verify the files that are downloaded to the device to ensure that they do not contain any malware.

Also, another way of preventing the reallocation of funds from occurring is to double check the cryptocurrency wallet address that is inputted. Because CryptoShuffler automatically changes the address once it hits the clipboard, a safe approach is to confirm the address that was copied and pasted and whether it matches the address of the recipient.

An Ethereum user with the online alias “Apneal” once was a victim to the CryptoShuffler malware. When Apneal sent a couple of small transactions in Ether from MyEtherWallet, Apneal noticed that the transactions did not arrive in the recipients wallet after many hours. Apneal later discovered that the clipboard automatically changed the address once copied and pasted, rerouting the Ether transactions.

“Copy the address from MyEtherWallet, paste into notepad. It changed it right on the spot. Maybe I didn’t copy right? Copy paste again, same address. Maybe my clipboard isn’t flushing? Copy other text on the screen and paste, that works, copy address again and paste, that same different address appears. Something funky with MyEtherWallet? Open up Firefox, go to my wallet, copy-paste. That works fine. This is on my end,” wrote Apneal.