HackBoss Cryptocurrency Stealer Spreading Via Telegram

You are currently viewing HackBoss Cryptocurrency Stealer Spreading Via Telegram

HackBoss is a veteran of the cryptocurrency malware scene, having been active since 2018. As of last year, in a report from Avast, Hackboss is believed to have made nearly $600,000 from its victims. The virus spreads via Telegram.

Hackboss is a relatively simple cryptocurrency-stealing malware, but its monetary gain is significant. The operators of Hackboss run a Telegram channel, which is used to spread the malware.

The Telegram channel is promoted to provide “The best software for hackers (hack bank / dating / bitcoin)”.

The software that is supposed to be published on this channel varies from bank and social site crackers to various cryptocurrency wallet and private key crackers or gift card code generators.

However, although each promoted application is promised to be some hacking or cracking application, it never is. The truth is quite different — each published post contains only a cryptocurrency-stealing malware concealed as a hacking or cracking application. What is more, no application posted on this channel delivers promised behavior: all of them are fake.

Though it may seem that this is purely hackers grifting hackers, there is more to the story. Samples have been fold in the wild of HackBoss embedded in a number of apps, from cryptocurrency wallet apps to phoney exchanges.

The Hack Boss channel was created on November 26, 2018, and has over 2,500 subscribers so far. Authors publish an average of 7 posts per month and each post is viewed approximately 1,000 times.


Posts on the Hack Boss channel promoting a fake cracking or hacking application usually contain a link to encrypted or anonymous file storage from which the application can be downloaded.

The post also contains a bogus description of the application’s supposed functionality and screenshots of the application’s UI.

After downloading the application as a .zip file, you can run the .exe file inside and a simple UI will be displayed.


The application, once opened, does not contain behaviour a user would expect. Its primary function is triggered by a target clicking any button in the UI.

After that, a malicious payload is decrypted and executed in the AppData\Local or AppData\Roaming directory. It can also be set to run at startup by setting up the value in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key or a task can be scheduled to run the malicious payload repeatedly every minute.

What follows is a simple yet effective operation. The malware will regularly check the clipboard content for a format of a cryptocurrency wallet and, if a wallet address is present there, it replaces it with one of its own wallets.

The malicious payload keeps running on the victim’s computer even after the application’s UI is closed. If the malicious process is terminated — for example via the Task manager — it can then get triggered again on startup or by the scheduled task in the next minute.

Though it may seem simple, HackBoss has proven to be quite effective, given how often those involved in cryptocurrency copy and paste their wallet address without actually examining it.

If a user figures out the dupe, it doesn’t matter for the HackBoss operators – Given the size of the Telegram channel, they have a constant stream of new victims.

Statistics about the spread of this malware upon Avasts’ user base since November 2018 can be seen below.

Protecting Your Cryptocurrency Threats Like HackBoss

Cryptocurrency and the blockchain stand to be a major driving factor in the technology of the future. However this popularity has attracted an element of cybercrime. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a user would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all internet users. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply