'CryptoShuffler' Malware Swaps Wallet Addresses Copied To Clipboards

On October 31, Sergey Yunakovsky of the Russian cybersecurity firm Kaspersky Lab published an account of a malware plot that his company had uncovered, a Trojan horse-style software that he calls “CryptoShuffler.” In this scheme, malicious code that can recognize cryptocurrency wallet addresses is surreptitiously loaded onto the web browser of a victim’s computer. Once the victim copies a wallet address to his or her clipboard, the malware replaces it with a public key corresponding to a wallet belonging to the attacker. If the victim pastes this key into the recipient field of a webpage or other module controlling the transfer of cryptocurrency and executes the transaction, he or she will send the assets in question to the attacker’s wallet rather than the intended party.

While some online wallet services and exchanges admonish their users to copy and paste addresses rather than typing them, warnings to double check the accuracy of a copied key are rarer. As is the case with many crypto scams, there exist no reliable means for victims of this scheme to recover lost funds.

As Yunakovsky reported, similar scams in the past have targeted bitcoin and WebMoney, but this particular piece of malware “is aimed at all popular cryptocurrencies,” including Ether, dogecoin, Litecoin, Dash, Monero, and Zcash.

The bitcoin wallet associated with this scam has received over 23 BTC since September 2016, equivalent to upwards of $160,000 at press time, but it’s unclear what portion of this amount can be attributed to the malware.

Other recent cryptocurrency scams have involved deceitful URLs, misleading or fraudulent token sales, and the practice of hijacking victims’ web browsers or processing power for the purpose of mining tokens.