Attackers use clipboard stealer module to transfer millions in BTC, ETH, and DOGE

  • Hackers are using “copy and paste” to steal millions of dollars in BTC, ETH, and DOGE. 
  • Research shows that MyKings operators have stolen at least $24 million by manipulating clipboards. 

An investigation into malware, MyKings, has revealed that its operators have stolen a minimum of $24 million in crypto by manipulating a victim’s clipboard. Cybersecurity researchers at software company Avast tied the act to one of the modules of MyKings botnet- clipboard stealers. 

MyKings operators amassed at least $24 million 

As the crypto space attracts legitimate investors and traders, it has also gotten the attention of hackers and other cybercriminals. Analysis by Avast researchers showed that MyKings botnet had transferred more than $24 million in crypto from 1,300 new wallet addresses. The amount was transferred in Bitcoin (BTC), Ethereum (ETH), and Dogecoin (DOGE).

According to a report by Jakub Kaloc and Jan Rubin with the Avast Threat Labs team, the MyKings malware does continuous monitoring on whatever is copied on a clipboard. Any system that has the malware installed could be a victim. MyKings looks out for when a user copies a crypto wallet address on their clipboard.  Once the MyKings malware detects a cryptocurrency wallet address is on the clipboard, it replaces the original address with their wallet address. As such, when the user pastes what they copied, they unknowingly paste the attacker’s crypto wallet address instead. And then, the wallet address changed by the malware becomes the recipient of the transaction. 

The trick is simple, and many are liable to fall victims. Cryptocurrency wallet addresses are usually long, and they include figures and alphabets. To avoid mistakes during transactions, copy and paste the wallet addresses has been an easy and faster way for many people. Considering the complexity of the addresses, we can say that it is unlikely that a user will notice that there was a change during the process of copying and pasting. 

The Avast researchers shed more light on the attack:

The main purpose of the clipboard stealer is rather simple: checking the clipboard for specific content and manipulating it in case it matches predefined regular expressions. This malware counts on the fact that users do not expect to paste values different from the one that they copied.

MyKings has been around since 2016, and it has extended its infrastructures over the years. Apart from the clipboard stealer, the MyKings bonnet has other infrastructures such as bookit, droppers, coin miners, and others.

167 fake crypto and trading apps discovered 

Amid the increasing rate of cybercrimes involving cryptocurrencies, cybersecurity firm Sophos identified 167 crypto apps hackers used to steal from crypto holders a few months ago. At the time of the identification, Sophos said the apps were available on both iOS and Android. As such, new investors and traders make the mistake of downloading and funding these fake trading apps. 

Read More: Cybersecurity firm identifies 167 cryptocurrency and trading apps used by attackers

Additionally, the Sophos researchers traced all the 167 apps to a single sever. This means that the fake apps belong to the same group. 


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.