$30 000 USD





CryptBot is a "typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2." "Cryptbot combines complex evasion techniques and a rather simple social-engineering based distribution strategy to produce an interesting method of attack that manages to stay relatively hidden in the current malware landscape."


"Cryptbot, an infostealer that takes victims’ cryptocurrency wallet and account credentials, was the most prolific malware family in the group, raking in almost half a million dollars in pilfered Bitcoin. Another prolific family is QuilClipper, a clipboard stealer or “clipper,” ranked eighth on the graph above. Clippers can be used to insert new text into the “clipboard” that holds text a user has copied, usually with the intent to paste elsewhere. Clippers typically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to send funds — the clipper malware effectively hijacks the transaction by then substituting an address controlled by the hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker."


"Cryptbot is capable of collecting sensitive information from Atomic cryptocurrency wallet, Avast Secure web browser, Brave browser, Ledger Live cryptocurrency wallet, Opera Web Browser, Waves Client and Exchange cryptocurrency applications, Coinomi cryptocurrency wallet, Google Chrome web browser, Jaxx Liberty cryptocurrency wallet, Electron Cash cryptocurrency wallet, Electrum cryptocurrency wallet, Exodus cryptocurrency wallet, Monero cryptocurrency wallet, MultiBitHD cryptocurrency wallet, Mozilla Firefox web browser, CCleaner web browser, and Vivaldi web browser."


"CryptBot is an Infostealer that is being distributed through malicious websites disguised as software download pages. Because there are multiple malicious websites created and many of them appear on the top page when keywords such as cracks and serials of popular commercial software are entered in search engines, many users are subject to download the malware and run it. In addition, the sample uses the SFX packing, making difficult to distinguish between normal and malicious files, and changes occur multiple times a day."


"In this latest campaign, Cryptbot is delivered as a Trojan malware. Consistent with the ancient trojan horse, the info-stealer hides within legitimate software in order to be installed by its victims. Over its year of activity, it has been disguised as an installer of a free VPN application and as an installer of legitimate commercial software. Delivered either by itself or bundled with other malicious applications. For example, users looking for cracked versions of PhantomPDF editor, Adobe Illustrator or Malwarebytes AV have found themselves installing the info-stealer instead of their preferred programs. The sample we’ve encountered claimed to be an installer for the Glary Utilities suite that consists of several utilities for Windows optimization and cleanup."


"KMSPico is a tool used to activate the full features of Microsoft Windows and Office products without actually owning a license key. It takes advantage of Windows Key Management Services (KMS), a legitimate technology introduced to license Microsoft products in bulk across enterprise networks. Under normal circumstances, enterprises using legitimate KMS licensing install a KMS server in a central location and use Group Policy Objects (GPO) to configure clients to communicate with it. KMSPico, on the other hand, emulates a KMS server locally on the affected system to fraudulently activate the endpoint’s license."


"You don't have to buy a license directly from Microsoft. You can buy them resale for the amount I listed. My Pro key was $17. Just like you can buy keys for games from retailers other than Steam." "[Y]ou can easily find cheap activation keys for both office and windows (<10$). Yes, they usually come from grey market or whatever but just buy them with a temporary virtual payment card and activate your windows without installing some sh[ad]y software."


"Hey man! I think you DM’d me the other day but I accidentally ignored it. I am [a]ffected by the same hackers. Let’s team up here."


"This is true[.] I was hacked for 30k a few days ago from the same address[.]" "I got hacked from this same address recently[.] I downloaded malware from official-kmspico.com[.]"


"I just downloaded without scrolling down, I've been torrenting since 2008 and have never had an issue so negligence on my part, I didn't scroll through the site just downloaded! I'm dumb. I know."


"It seems to be some sort of network of scammers. I downloaded malware from official-kmspico.com so from a different source however the funds were transferred to this wallet. I think this is actually something larger than just one hacker/scammer. And based on the number of threads that pop up when you search for kmspico on Reddit I have a feeling they will be busted soon, especially with linked KYC. You can still doubt and think the guys moon farming that’s fine but I’m giving you plenty of reasons not to think that anymore."


"Downloaded" "[m]alware from official-kmspico.com" "then went to bed woke up and my [cryptocurrency] was gone, then did some research on kmspico like searching on Reddit kmspico and found a ton on other threads confirming." "Downloaded at 10pm woke up in the morning and all was gone." "Apparently the one from official-kmspico.com is known to contain malware. Reddit search kmspico and a lot of folks are saying that the normal kmspico has been around forever and should be fine."


"So far I have [c]ompletely reset my computer and now have an antivirus and firewall that is set to "ask" for new network requests, [r]eset my passwords, [and f]iled a police report." "I filed a police report today and am waiting for a detective to reach out to me, going to try to formulate my case from the get go here and ask to have it escalated to the FBI."


"The thief used anyswap to swap the MATIC for USDC on a different blockchain. It's an easy way to mask where it ended up. My guess, its on the ethereum blockchain right now...gotta find it." "Here is the next sequence of events for you. You stolen funds are now on the binance smart chain. Likely destined for the Cex for sale." "Thief used anyswap to convert it to USDC on Polygon -> BNB on Binance Smart Chain. Your funds are here and now mixed with the attackers tokens." "Followed the paper trail a bit, looks like the after receiving the tokens they were sent to a wallet that has interacted with WhiteBIT." "Bingo! Binance Hot Wallet." "And while I'm not as sure on this one, it would appear this is their Binance attached wallet. Others report it scamming as well. Looks like it's connected to their BSC scam wallets." "Looks like they've also interacted with KuCoin." "This is their KYC connected wallet. They regularly buy and sell eth using it and fund the scam wallets gas with it. It is connected to cryptodotcom."


"[T]he easiest way is to track back the original gas deposit, the very first transaction a wallet makes when started, and trace that back to the exchange they purchased from. Alternatively, I like to look for them cashing out, actually sending stolen coins to an exchange, but this usually takes longer as they get better and filtering through disguise wallets or using swaps that the smart contract within lets you send outside the source wallet, which obfuscates the transaction a few levels."


"Deadends come from scammers that obtain their initial "capital" scammer fuel to transact using mining wallets, however I almost never find this as miners generally trust the network concept long term and want to support it while the scammers only want easy in/out in fiat while doing best to cover their tracks as they move on to the next easy money scam. Everything is traceable though with enough patience."


"[T]he breakdown is as follows: You consolidated your Matic from various wallets into this one joint wallet over the past couple of weeks. [A]ll matic drained 3 days ago into [the attacker's] wallet."


"Swap over the Etherscan using the same wallet address and you'll find funded the first transaction of 0x365db, which first purchased Eth use Binance."


"Swap over to Binance Smart Chain and you'll find [an address which] funneled some BNB in from Kucoin and [another] wallet [which] funnels into two others, that connect back to Binance as well, one of which cashes out."


"Swap over to Avalanche and you'll find [a transaction] funneled some AVAX over from Binance, not only to the wallet that stole from you but SEVERAL others as well which all connect back to Binance if you hop a few more times deep."


"It would appear these particular scammers are part of a connected ring to the tune of millions of USD worth of funneled assets of Avax/BNB/ETH etc. The vast majority of the stolen assets are just sitting in a few dozen different wallets that have not connected to any exchanges yet unfortunately."

The CryptBot is malware which can commonly be downloaded when pirating software, such as Windows license circumvention. Once downloaded, the software will report information from multiple programs including common cryptocurrency wallets. While multiple victims have lost funds, in this case it appears that $30k was lost. No funds appear to be recovered, though they have been extensively traced through multiple blockchains.


The majority of CryptBot installations happen due to downloading pirated software, and it's commonly detected by most anti-malware software. For the highest security, always store funds offline when not in use, and test any new wallet or environment with a small amount of funds prior to any large transfer or wallet setup.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.