A new clipboard virus threatens both Bitcoin and Ethereum wallets, although the hacker didn’t manage to make significant gains this time around.
Chinese cybersecurity analyst 360 Total Security discovered a brand new strain of virus affecting people attempting to send cryptocurrency to Bitcoin and Ethereum addresses.
Known as ClipboardWalletHijacker, it works by replacing addresses copied to a user’s clipboard to the hacker’s address.
“The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum. It tampers with the receiving address to its own address to redirect cryptocurrency to its own wallet. This kind of Trojans [sic] has been detected on more than 300 thousand computers within a week,” the company wrote.
Looking through the code that 360 Total Security was kind enough to provide us with, we find that the clipboard virus detects Ethereum addresses by scanning for the typical “0x” in the beginning and then making sure that the string is the appropriate length for such an address. The latter step is important, because if everything that started with “0x” would be replaced with the hacker’s wallet address (0x001D3416DA40338fAf9E772388A93fAF5059bFd5), then it would look a bit suspicious to the victim, especially if that person is a programmer.
It does something similar with Bitcoin addresses, checking instead for “1” or “3” at the beginning of the string and for a length of anywhere between 25 and 40 characters.
The amount of stolen cryptocurrencies goes up to the thousands of dollars, about enough to compensate for the tiny amount of time it would have taken to write such a simple piece of malware code.
In the two Bitcoin wallets the hacker uses in particular, the total amount stolen goes beyond 0.1 BTC, meaning a payday of above $700. Still, that must be a disappointing figure for the hacker, who was probably hoping for more after infecting over a quarter of a million computers. Last November, a lazy hacker managed to strike gold by stealing $150,000 in Bitcoin using the same method through a virus known as “CryptoShuffle.”