Change clipboard

6 May 2023 5 minutes Author: Cyber Witcher

Harmful virus: changing Bitcoin addresses

The clipboard is part of the RAM of a desktop computer or laptop, as well as a phone or tablet (Android, iOS). This section temporarily stores what we copy. The information contained in it is not visible to the user. Everything new is always well-forgotten old, many probably remember when millions of $ were stolen from WM wallets using clipboard swapping, when WM was the main settlement system. Now, many people use cryptocurrencies, and their wallets are much longer, which is a plus. Have you ever noticed how, after copying the BTC address, a slightly different address is inserted into the submission form? Be careful as this clearly indicates that your device is infected with a Trojan virus. This virus was identified by Symantec specialists and named Trojan.Coinbitclip. This malware hijacks the contents of the clipboard by replacing a few digits in the copied wallet addresses.

The Trojan virus is activated when copying a certain set of numbers similar to a Bitcoin address. The virus uses a custom database consisting of numerous third-party Bitcoin addresses, with which the copied addresses are instantly replaced as soon as the program recognizes them. To check for a virus, copy and paste text or a set of numbers that differs from the format of the BTC address. If the copying is successful, but when repeating the same procedure, the inserted BTC address is different from the copied one, this can only mean one thing – your device is infected with a Trojan virus. If you have already sent funds to the wrong Bitcoin address, unfortunately it cannot be corrected, as transactions of this kind are irreversible.

How to write a virus

You need to find and run WinHex (I can’t give you a link, the program is very easy to navigate, you kill the name, you get the software), open buf.exe, scroll through the code (to where? pay attention to the slider) and find a list of crypto caches, they are separated by a space.

IMPORTANTLY! Do not run this eche on a virtual machine for tests, if you have a shared clipboard configured, the host machine will also be infected!!!

Order of baskets BTC, LTC, PPC, NMC, DSH, ETH. We change all baskets to our own. Entered, checked again? Click save, and you can close WinHex. The virus is ready! Now you need to encrypt it, thanks to the fact that there are a lot of cryptors and services on hack forums, this beast is encrypted easily.

Loading options

1. The most expensive

Buy, get traffic. Rent a connection of sploits, and load ehe. (for whom these are all incomprehensible words, google for help)

2. Spam loading

For example, such a topic. We get the soap base from some shop, with the same school dumper (what is it, Google it, there are tons of articles about it). We download and install Hiasm, this software helps to write a program without having programming skills. We create a simple fake software with the logo of the store from which the base was merged, in the program itself we make stupidly different offers with discounts, etc. Let’s glue our ehe with a fake program, a joiner (you can also find it in the archive). And we will spam all the customers of the shop.

Like “Hello! We are glad to introduce you to our new program, by downloading which you will get good discounts in our shop” You paint everything beautifully, with pictures, etc. In the same way, you can create any fake programs, glue them with ehe and spread spam anywhere!

We create a clipper

Suppose that a clipper is thrown on your PC. For example, you need to pay for a service or make a transaction. You copy the wallet number (it doesn’t matter what it is: crypto, poison, webmoney, qiwi), after you copy the wallet number, the clipper will replace the copied wallet with the wallet of the creator. The money flew in an unknown direction and it is almost impossible to prove anything to anyone. PROFIT!


Installing Python

Go to We download the latest version and install it.

Writing code

We import the modules we need:

Declare variables

The body of the code

We compile into an exe to feed our code to the victim

We will use the PyInstaller program. It can be installed thanks to the command that we need to enter in CMD: pip install pyinstaller. Here are the Pyinstaller arguments we’ll use:

  1. -F, will collect all files into one exe file.

  2. -w, disable the console.

  3. -i ***path to the icon***, an argument that will connect the icon to the program.

Final command for CMD: pyinstaller -F -w -i ***path to icon*** ***path to .py file***.

You can also find source codes of scripts on the Internet that will add this virus to StartUp and hide it from the Task Manager.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.