New clipper malware steals US$400,000 in cryptocurrencies via fake Tor Browser

Kaspersky researchers have discovered an ongoing disruptive cryptocurrency theft campaign affecting more than 15,000 users across 52 countries. Distributed under the guise of Tor Browser, the malware operates by replacing a portion of the entered clipboard contents with the cybercriminal’s own wallet address once it detects a wallet address in the clipboard. It is estimated that – so far in 2023 – cybercriminals have been able to steal approximately US$400,000 using this malware.

While this technique has been around for more than a decade and was originally used by banking trojans to replace bank account numbers, with the rise of cryptocurrency, this new type of malware is now actively targeting crypto owners and traders.

“Despite the fake Tor Browser attack’s fundamental simplicity, it poses a greater danger than it seems. Not only does it create irreversible money transfers, but it is also passive and hard to detect for a regular user. Most malware requires a communication channel between the malware operator and the victim’s system. On the contrary, clipboard injectors can remain silent for years, with no network activity or other signs of presence until the day they replace a crypto wallet address”, comments Vitaly Kamluk, Head of APAC Unit, Global Research & Analysis Team.