How Hackers Use Clipboard to Steal Cryptocurrencies

23 May 2023 9 minutes Author: Lady Liberty

In this article, you will learn about a new threat to crypto-currency owners – the Clipper Trojan, which steals coins by replacing wallet addresses in the clipboard. This malware spreads under the guise of the popular Tor browser, which is used for anonymous Internet surfing. We will explain how this Trojan works, which currencies are at risk and how to protect your assets from theft.

History of attacks

Attackers learned how to replace the contents of the clipboard more than 10 years ago. It all started with banking Trojans that attacked users of certain banks and replaced the victim’s account number copied to the clipboard. Therefore, in 2013, the CERT Polska team published a report in which it warned Polish bank customers about this threat.

However, for the attack to be successful, the attacker must be able to identify the specific online banking environment used by the victim. In addition, other bank details (such as SWIFT code, branch, etc.) must match the criminals’ account for the transfer to take place. The shift to global, vendor-neutral technologies such as crypto wallets has made it much easier for attackers.

In addition, when the value of cryptocurrencies began to rise significantly, the digital currency became a profitable target. Then we discovered the first attacks on cryptocurrency holders by replacing the contents of the clipboard. Attackers used the same malicious code to create different malware. Our solutions detect multiple strings using a common solution – Generic.ClipBanker.

How dangerous are malware that replaces data in the clipboard?

Although clipboard override attacks are simple, they are much more dangerous than they first appear. Not only because stolen funds are difficult to recover, but also because attacks are completely invisible to ordinary users. Think about it: Most malware requires a communication channel between the operator and the victim’s system to achieve its goal. Backdoor needs a control channel, a spy trojan needs a channel to transmit stolen data, and a cryptocurrency miner also needs a network connection. There are very few malware that are completely self-contained and do not require an Internet connection, but these are the most dangerous.

This is self-replicating malware such as destructive viruses and network worms, ransomware that encrypts local files, and more. Although worms and viruses do not connect to the command server, they create heavy network traffic or increase the load on the CPU or RAM. . The work of the cipher is no less remarkable. Clippers, on the other hand, can remain anonymous for years: you won’t see any network activity or other signs of their presence on your system until they change their wallet address.

Another important factor is the ability to identify harmful loads. Most malware can be detected by matching IP addresses, domains, and associations used with known malicious infrastructure, or by automatically launching malicious payloads. Clippers do not launch malicious payloads until an external condition is met – copying data of a certain format to the clipboard. This greatly reduces the chance of discovering new malware through automatic scanning of the isolated software environment.

Tor browser installers with a trojan inside

Some of the latest modifications of clippers are distributed under the guise of the Tor browser, which is used to access the shadow Internet through the Onion protocol or the so-called Tor network. We attribute this to the blocking of the Tor project in Russia at the end of 2021, which was announced by its development team. According to them, in 2021, Russia was the second country with the largest number of users of the Tor browser, with more than 300,000 people connecting through it every day, which is 15% of the total number of Tor users. The developers of the project called to help Russian users continue to use this network to bypass the ban.

They were heard by the creators of malicious software, which began to be distributed among Russian-speaking users by installers of the Tor browser with a Trojan inside. The first samples appeared already in December 2021, but only from August 2022, the Russian Internet space was flooded with a massive wave of attacks using malicious files torbrowser_ru.exe. Infected installers imitated versions of the Tor browser with an extended language pack that includes the Russian language, which can be understood from the file name.

We found hundreds of similar installers that behaved in the same scenario.

The victim downloads an infected torbrowser.exe file from a third-party resource and runs it, thinking it is installing the Tor browser. The malicious installer is a self-extracting RAR SFX archive that is not protected by a digital signature.

There are three files in the archive:

  • The original torbrowser.exe installer with a valid Tor Project digital signature;

  • A command-line tool with an arbitrary name for extracting an archive;

  • Random password protected RAR archive.

To avoid suspicion, the SFX archive runs the original torbrowser.exe installer, along with a password-protected RAR unpacker. A password avoids detection by an anti-virus solution using static signature analysis, but does not prevent detection in a sandbox.

The password and path to extract the archive are contained in the trojanized file torbrowser.exe. They can be found out with the help of manual analysis. The malicious file is injected into one of the subfolders of the AppData directory of the active user, starts a new process and registers itself in autostart. The malware uses the icon of a popular program, such as uTorrent, to disguise itself.

Clipper Trojan

The installer brings the switch to the device in passive mode and does not pretend to be anything.

Enigma 4.0 is used to protect against malware, which makes analysis difficult. Enigma is a software tool for securing business applications. The malware author could have used a cracked version without license information. However, we were able to retrieve the serial number of the attacker’s system drive from the malware sample. We’ll keep it here in case this or other malware from the same developer reaches law enforcement: 9061E43A.

The principle of operation of this pest is quite simple: it integrates into a chain of programs that are allowed to view the Windows clipboard and receive notifications of changes to the data copied to it. If the cache contains text, the malware checks it using a set of built-in regular expressions. If a match is found, the program will replace the text with a randomly selected address from the provided list.

Hex dump of extracted data from malware with regular expressions and attackers wallet ID

In this entire sample, we found the following regular expressions

  • bc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) — Bitcoin

  • (^|\s)[3]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) — Litecoin/Bitcoin Legacy

  • (^|\s)D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}($|\s) — Dogecoin

  • (^|\s)0x[A-Fa-f0-9]{40}($|\s) — ERC-20 (т. е. Ethereum, Tether, Ripple и др.)

  • (^|\s)[LM]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) — Litecoin Legacy

  • ((^|\s)ltc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) — Litecoin

  • (^|\s)8[0-9A-B]{1}[1-9A-HJ-NP-Za-km-z]{93,117}($|\s) — Monero

  • (^|\s)4[0-9A-B]{1}[1-9A-HJ-NP-Za-km-z]{93,117}($|\s) — Monero

Each sample contains thousands of possible bitcoin wallet addresses to swap. It becomes quite difficult to put them on the prohibited list or to track the theft. However, we do have all of these addresses and will share them with cyber threat researchers in an appendix to this article.

The authors of the malware left in it the possibility to disable it – for this, a special key combination (Ctrl+Alt+F10) is used. When these keys are pressed, the malicious program disables clipboard data interception and terminates its operation. This combination was probably needed to disable the malware during the testing phase.

Targets of attacks

Of the approximately 16,000 detections of the malicious Tor installer, most were reported in Russia and Eastern Europe. In total, this threat affected 52 countries around the world. According to our data, the attacks primarily affected the following 10 countries:

  • Russia

  • Ukraine

  • USA

  • Germany

  • Uzbekistan

  • Belarus

  • China

  • Netherlands

  • Great Britain

  • France

It is worth noting that we see only a small part of the whole picture. The total number of infections can be ten times higher.


To analyze the implications, we collected hundreds of known malware samples, stripped them of Enigma protection, and extracted the addresses where the malware overwrites user data. We studied the relevant blockchains and calculated the amount of cryptocurrency transferred to these wallets. We assume that all funds come from affected users. In this way, we calculate the total damage caused by the malware developer.

The Monero service uses advanced security technologies and anonymizes transaction data. Therefore, we cannot get information about the amount transferred from the public ledger, but we are sure that this amount is insignificant compared to the Bitcoin data.

We also believe that users actually suffer more because we only investigate attacks by people installing the malicious Tor browser. In other campaigns, attackers may attack other wallets, use other applications as fronts, and send malware to victims’ devices in other ways.

How to protect a crypto wallet from attack

The main mistake most victims of this pest make is downloading the Tor browser installer from a third-party resource. We could not find a site to download this file from. It is most likely distributed via torrent or other application downloaders. Installers downloaded from the official Tor Project website do not contain any signs of malware, and their authenticity is verified by a digital signature. Only download software from reliable, trusted sources to stay safe.

Even if you accidentally download a malicious file under the guise of being innocent, a quality security solution or VirusTotal service will help detect the threat. No matter how harmful it disguises itself, sooner or later it will be discovered – it’s only a matter of time.

You can check if there are any apps of this class hiding on your device using Notepad. Copy the following “bitcoin wallet address” into Notepad or type it yourself: bc1heymalwarehowaboutyoureplacethisaddress.

Now press Ctrl+C and Ctrl+V. If the address has changed, there is probably malware lurking on your system that changes the contents of the clipboard. It is dangerous to work on such a device. We recommend performing a full system scan using a security solution. However, if you want to be sure of the security of your system, you will have to reinstall it after infection.

Stay safe and don’t give fraudsters a chance to get to your crypto wallet.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.