Skip to main content

New trojan redirects transaction to steal £133,000

Published on: 2 Nov 2017

A new trojan that steals cryptocurrencies from a user’s wallet by replacing their address with its own in the device’s clipboard has been discovered by Kaspersky Lab.

The CryptoShuffler trojan has so far helped criminals raid 23 BTC from Bitcoin wallets - equivalent to just under £113,000 - with the total amount stolen from other wallets ranging from a few pounds to several thousands.

Kaspersky Lab says how CryptoShuffler works is very simple and capitalises on the common transaction process used by most cryptocurrency users.

The trojan begins by monitoring the infected device’s clipboard over time and, whenever the user makes a payment, their device will copy a recipient’s walled ID number and paste it into the “destination address” line in the software they are using to make their transaction.

This is where the trojan replaces the user's wallet address with one owned by the malware creator. So when the user pastes the wallet ID to the destination address line, it isn’t the address they originally intended to send money to and the victim transfers their money directly to criminals.

Sergey Yunakovsky, malware analyst at Kaspersky Lab, said: “Cryptocurrency is becoming part of our daily lives, actively spreading around the world, becoming more available for users, and a more appealing target for criminals.

“Lately, we’ve observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue. So users considering cryptocurrency investments should think about protecting their investments carefully.”