Skip to main content

Woburn, MA – October 31, 2017Kaspersky Lab researchers have discovered a new CryptoShuffler Trojan, which steals cryptocurrencies from a user’s wallet by replacing their address with its own in the device’s clipboard. To date, criminals have already succeeded in attacking Bitcoin wallets, stealing 23 BTC, which is equivalent to almost $140,000. The total amount stolen from other wallets range from a few dollars to several thousands.

According to Kaspersky Lab’s research, a CryptoShuffler Trojan creator has already been operating for a year, targeting a wide range of the most popular cryptocurrencies such as Bitcoin, Ethereum, Zcash, Dash, Monero and others. The peak in this criminal’s activity was the end of last year, followed by a quiet period, which lasted until June 2017. So-called “clipboard hijacking” attacks like this have been previously seen in the wild, targeting online payment systems; however, experts believe cases involving a cryptocurrency host address are currently rare.

CryptoShuffler’s mechanism is very simple and effective, capitalizing on the common transaction process used by most cryptocurrency users. The Trojan begins by monitoring the infected device’s clipboard. Users utilize this software facility when making a payment: they copy a recipient’s walled ID number and paste it into the “destination address” line in the software they are using to make their transaction. What they don’t know is that the Trojan then replaces the user's wallet address with one owned by the malware creator. Therefore, when the user pastes the wallet ID to the destination address line, it is already not the address they originally intended to send money to and as a result, the victim transfers their money directly to criminals.

CryptoShuffler’s ability to replace a destination literally takes milliseconds because it’s so simple to search for wallet addresses – the majority of cryptocurrency wallet addresses have the same beginning and certain number of characters. Therefore, intruders can easily create regular codes to replace them.

With this trick, criminals are exploiting users’ lack of paying attention. When making a payment, users do not usually check their multi-digit numbers, especially since the wallet addresses in blockchain are complicated and often very difficult to remember. Users don’t pay much attention to checking any distinctive features in the transaction line, even if a slight change could cost them a lot.

“Cryptocurrency is not tomorrow's technology anymore. It is becoming part of our daily lives, actively spreading around the world, becoming more available for users, and a more appealing target for criminals,” said Sergey Yunakovsky, malware analyst at Kaspersky Lab. “Lately, we’ve observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue. So users considering cryptocurrency investments should think about protecting their investments carefully.”

To keep your crypto savings safe and not top up the criminals’ wallets, Kaspersky Lab advises to pay close attention during transactions, and always check the wallet number listed in the ‘destination address’ line against the one you are intending of which to send coins. Users should also be aware that there is a difference between an invalid address and an incorrect address: In the first case, the error will be detected and the transaction won't be completed; in the latter, you will never see your money again.

Another way to stay protected is to use a specialized security feature, like the Safe Money technology feature available in flagship Kaspersky Lab solutions. These security protections scan for vulnerabilities that are known to be exploited by cybercriminals, constantly check for specialized malware and guard transactions from intrusion with the help of Protected Browser technology. Additionally, it specifically protects the clipboard where sensitive data could be stored briefly during copy/paste operations.

Kaspersky Lab products successfully detect and block malware with the following detection names:

  • Trojan-Banker.Win32.CryptoShuffler.gen
  • Win32.DiscordiaMiner

Learn more about newly discovered miners on

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Sarah Kitsos 

Kaspersky Lab discovers CryptoShuffler, a new threat that seized $140,000 in Bitcoin savings

Woburn, MA – October 31, 2017 – Kaspersky Lab researchers have discovered a new CryptoShuffler Trojan, which steals cryptocurrencies from a user’s wallet by replacing their address with its own in the device’s clipboard.
Kaspersky Logo