Clipboard Hijacker: Malware Empties Bitcoin Wallets

A rather new malware called Clipboard Hijacker is intended to manipulate the clipboard of Windows computers. As soon as the user stores a Bitcoin address known to the system in the clipboard, the address is automatically changed. The crypto currency then ends up in the wallet of the cybercriminals instead of on the desired account. This new variant is part of the recently released „All-Radio 4.27 Portable“ malware package. It automatically monitors around 2.3 million Bitcoin addresses.

The Bleeping Computer team has identified a particularly sophisticated malicious software for Windows computers

The Clipboard Hijacker contains 2.3 million Bitcoin addresses that are worth cash to cybercriminals. Many users of online trading places copy & paste the destination address of the wallet. However, as soon as one of the 2.3 million known addresses appears in the clipboard, the Trojan changes the clipboard. Instead of the desired wallet address, the cybercriminal’s address is automatically entered. The number of stored wallets is record-breaking. Previously known Clipboard Hijackers had only 400,000 to 600,000 addresses of different crypto currencies (mostly Bitcoin) in their portfolio.

The malware installs itself quickly, silently and easily. After downloading the file d3dx11_31.dll, the virus creates an executable file called „DirectX 11“, which is not noticed by outsiders due to its name. This file becomes active as soon as the user logs on to Windows. Later, two more files are stored on the target computer. Nothing happens afterwards. The malware should not interfere with normal operation and is not noticeable in any other way. The infected computer waits for the moment until you insert a wallet address into the clipboard. This will then be changed if necessary. The problem: If the user does not carefully check the wallet’s target address, he will not detect the fraud. When the coins are sent, they end up on the account of the cybercriminals and are therefore lost forever.

How can I protect myself from the Clipboard Hijacker?

If you want to protect yourself against manipulation of your Bitcoin transfers, you should update your anti-virus software. The antivirus software should then check the PC completely. In addition, it always makes sense to manually synchronize the target address with the original several times during transfers. Even with new types of malware, you can prevent money from being redirected to the accounts of third parties, even if your computer is infected. Clipboard hijackers were reported to have been infected more than ten years ago, when Mac OS X users were also affected. New is the change of the clipboard to redirect crypto currencies. The earlier malware was immediately noticeable because the clipboard was no longer usable. The new variant is particularly insidious because it only becomes noticeable when it is too late and at the same time has an extensive database of Bitcoin addresses.