ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

CryptoShuffler Trojan Stealing Coins: What You Need To Know

People who own the valuable cryptocurrency Bitcoin are being warned that there is a dangerous new exploit circulating. The CryptoShuffler Trojan allows cybercriminals to steal Bitcoins and other valuable cryptocurrencies from wallets. The exploit was discovered by the Russian cybersecurity firm Kaspersky Labs. It works by letting hackers replace a desired cryptocurrency wallet address with one of their own in the user's clipboard. 

According to the research released by Kaspersky, cybercriminals have already managed to steal 23 Bitcoins, which is the equivalent of approximately $140,000 (as of the end of October). In addition, thousands of dollars of other cryptocurrencies such as Litecoin, Dash, Monero, Ethereum, Zcash, and Dogecoin, have been accumulated. The security researchers believe the exploit has been circulating in the wild for around a year. 

Clipboard hijacking is not an uncommon type of cyberattack. In the past, security researchers have discovered a similar attack vector being used to target online payment systems, for example. At the moment, Kaspersky is confident that cases involving cryptocurrencies are pretty rare. As is the case with all valuable exploits, however, there is a danger that this kind of exploit might be emulated by other hackers - and probably even be sold on the darknet. 

How it works

The CryptoShuffler Trojan is actually very simple. It relies on people’s normal behavior patterns in order to pinpoint a probable cryptocurrency wallet address and quickly switch it out for one belonging to the hacker. Kaspersky explains the process in its blog post on the subject:

“The Trojan begins by monitoring the infected device’s clipboard. Users utilize this software facility when making a payment: they copy a recipient’s walled ID number and paste it into the “destination address” line in the software they are using to make their transaction. 

“What they don’t know is that the Trojan then replaces the user's wallet address with one owned by the malware creator. Therefore, when the user pastes the wallet ID to the destination address line, it is already not the address they originally intended to send money to and as a result, the victim transfers their money directly to criminals.”

This process literally happens in milliseconds, because the Trojan is programmed to instantly recognize wallet addresses. Unfortunately for victims, those addresses are very easy to spot because they are made up of random characters that often begin with specific characters (Bitcoin wallets often start with a 1 or a 3, for example). In addition, wallet addresses tend to be a specific length.

Stressed Woman Bitcoin

User Error Involved

Despite the Trojan's effectiveness, there is an element of human error involved in the success of the malware. The problem arises from the fact that wallet addresses are just a random string of meaningless characters. It is because wallet addresses are so hard to remember, that people usually just copy and paste them in. 

However, if people took the time to check the string of digits after they pasted it in from their clipboard it would become obvious that the address had changed. Sadly, people are accustomed to quickly copying and pasting the address of their wallet without thinking. This results in them being easily duped into using the hacker's address instead.

For cryptocurrency users the message is clear: more care needs to be taken when handling wallet addresses. Cryptocurrencies are exploding in value all the time, and Coinbase alone sees approximately 33,000 new users per day buying into the valuable digital asset. With so many people joining the party, the temptation for hackers is only going to grow.

Kaspersky Arrest

Sergey Yunakovsky, a malware analyst at Kaspersky Lab sums it up when he says:

“Cryptocurrency is not tomorrow's technology anymore. It is becoming part of our daily lives, actively spreading around the world, becoming more available for users, and a more appealing target for criminals.

“Lately, we’ve observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue. So users considering cryptocurrency investments should think about protecting their investments carefully.”

How To Keep Your Coins Safe

The main thing to remember is that if you watch your wallet address carefully at every stage, you should be able to outsmart the CryptoShuffler Trojan. Cryptocurrency users must always take the time to compare the destination address during a transaction to their actual wallet address. If these don’t match, then it is likely that they have fallen prey to a clipboard hijacking attack.

One way to get around the problem is to not use a clipboard at all. However, users must be just as careful when inputting their address directly by hand: because even just one digit wrong will result in funds being wired to the wrong address. A wrongly typed address may result in an invalid address, which would mean that funds aren’t transferred at all. However, the risk is high because a wrongly typed address could belong to someone else. Cryptoshuffler

Kaspersky also advises consumers to make use of antivirus and malware protection such as its Safe Money feature in order to spot malicious programs installed on devices. Users should always keep regularly updated malware protection on their device if they are using their machine for anything that could result in the loss of funds.

For more information about how to keep you coins safe, take a look at our bitcoin VPN guide.

Title image credit: posteriori/

Image credit: micro10x/, Wit Olszewski/

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service