New malware highjacks your Windows clipboard to change crypto addresses

In what amounts to be an amazingly nefarious bit of malware, hackers have created an exploit that watches 2.3 million high-value crypto wallets and replaces the addresses in the Windows clipboard with an address associated with the hackers. In other words, you could paste your own wallet address – 3BYpmdzASG7S6WrpmrnzJCX3y8kduF6Kmc, for example – and the malware would subtly (or unsubtly) change it to its own private wallet. Because it happens in the clipboard most people wouldn’t notice the change between copying and pasting.

Security researchers at BleepingComputer have found similar hijackers in the wild but this latest version is actively watching valuable wallets and trying grab bitcoin as they enter the accounts. Below is an example of the malware at work.

The malware runs a massive, 83MB DLL file that masquerades as a Direct X service. Inside the DLL is a 2.5 million line text file full of bitcoin addresses. In the above test when cutting and pasting from an HTML page into WordPad you’ll notice that the accounts are subtly modified in each case while leaving the beginning of the address unchanged.

Multiple anti-virus engines are now tagging this DLL as dangerous and you should be safe as long as you keep your virus protection up to date. But, as BleepingComputer notes, the only way to be sure your BTC is safe is to meticulously check each address you paste. They write:

As malware like this runs in the background with no indication that it is even running, is it not easy to spot that you are infected. Therefore it is important to always have a updated antivirus solution installed to protect you from these types of threats.

It is also very important that all cryptocurrency users to double-check any addresses that they are sending cryptocoins to before they actually send them. This way you can spot whether an address has been replaced with a different one than is intended.