Breaking Blockchains: The Rise Of Cryptocurrency Malware

You are currently viewing Breaking Blockchains: The Rise Of Cryptocurrency Malware

When cryptocurrency theft occurs, the media nearly always reports of large organizations and companies having their money stolen. These are usually against cryptocurrency exchanges, or entities dealing strictly with cryptocurrency. However, in the last few years, there has been a surge of attacks where hackers use malware to steal smaller amounts of cryptocurrency from individual users.

According to a recent report by Chainalysis, these types of individual attacks are set to become a primary focus in cybercrime for 2022.

Large-scale cryptocurrency attacks are not new, and require careful planning and skill on the part of the hackers to pull off. But new types of malware, usually rented or purchased viruses, allow even the most novice of hackers to spam millions of potential victims and steal smaller amounts from each individual tricked into downloading the malware.

“Many of these malware strains are available for purchase on the darknet, making it even easier for less sophisticated hackers to deploy them against victims.” researchers at Chainalysis stated.

Already there major players in the world of cryptocurrency malware that focuses on stealing from the individual, as shown in the grid below.


Many of the malware families described above are available to purchase for relatively little money on cybercriminal forums. For instance, the screenshots below show an advertisement for Redline, an info stealer malware, posted on a Russian cybercrime forum.


Redline is sold as Malware-As-A-Service, offering one month of access for $150 and lifetime access for $800.

“Buyers also get access to Spectrum Crypt Service, a Telegram-based tool that allows cybercriminals to encrypt Redline so that it’s more difficult for victims’ antivirus software to detect it once it’s been downloaded. The proliferation of cheap access to malware families like Redline means that even relatively low-skilled cybercriminals can use them to steal cryptocurrency.”

The graph below shows the number of victim transfers to cryptocurrency addresses associated with a sample of malware families in the info stealer and clipper categories investigated by Chainalysis.

Overall, the malware families in this sample have received 5,974 transfers from victims in 2021, up from 5,449 in 2020.

Which malware families were most active?

Cryptbot, an infostealer that takes victims’ cryptocurrency wallet and account credentials, was the most prolific malware family in the group, raking in almost half a million dollars in pilfered Bitcoin. Another prolific family is QuilClipper, a clipboard stealer or “clipper,” ranked eighth on the graph above.

Clippers can be used to insert new text into the “clipboard” that holds text a user has copied, usually with the intent to paste elsewhere.

Clippers typically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to send funds — the clipper malware effectively hijacks the transaction by then substituting an address controlled by the hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker.

The most devastating type of cryptocurrency malware are Cryptojackers.

Cryptojackers are a veteran in the cybercrime world, and operate by using the victim’s computing power to mine cryptocurrency – without the users knowledge or consent. Typically, Monero is mined, but there have been reports of cryptojackers that focus on Zcash and ethereum also.

However, none of those numbers reflect totals from what we believe to be the most prolific type of cryptocurrency-focused malware: Cryptojackers.

Due to funds moving directly from the mempool to mining addresses, it can be difficult to collect accurate statistics around cryptojacking.

In 2020, Cisco’s cloud security division reported that cryptojacking malware affected 69% of its clients, which would translate to an incredible amount of stolen computer power, and therefore a significant amount of illicitly-mined cryptocurrency.

A 2018 report from Palo Alto Networks estimated that 5% of all Monero in circulation was mined by cryptojackers, which would represent over $100 million in revenue, making cryptojackers the most prolific form of cryptocurrency-focused malware.

These numbers are likely not the whole picture, as many of the true statistics remain obfuscated.

“The vast majority of malware operators receive initial victim payments at private wallet addresses, though a few use addresses hosted by larger services. Of that smaller group, the majority use addresses hosted by exchanges — mostly high-risk exchanges that have low or no KYC (Know Your Customer) requirements.”


After receiving cryptocurrency from victims, malware operators then send the majority of funds on to addresses at centralized exchanges.

However, that majority is slim and getting slimmer. Exchanges only received 54% of funds sent from malware addresses in 2021, down from 75% in 2020. DeFi protocols make up much of the difference at 20% in 2021, after having received a negligible share of malware funds in 2020. Illicit services seemingly unrelated to malware — mostly darknet markets — are also a significant money laundering avenue for malware operators, having received roughly 15% of all funds sent from malware addresses in 2021.

Malware-based cryptocurrency theft is difficult to investigate in part due to the large number of less sophisticated cybercriminals who can rent access to these malware families. But studying how cybercriminals launder stolen cryptocurrency may be investigators’ best bet for finding those involved. Using blockchain analysis, investigators can follow the funds, find the deposit addresses cybercriminals use to cash out, and subpoena the services hosting those addresses to identify the attackers.

Protection Against Cryptocurrency Malware

Cryptocurrency and the blockchain stand to be a major driving factor in the technology of the future. However this popularity has attracted an element of cybercrime. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a user would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all internet users. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply