{"id":9780,"date":"2017-10-31T12:00:08","date_gmt":"2017-10-31T08:00:08","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=9780"},"modified":"2019-11-15T15:23:42","modified_gmt":"2019-11-15T11:23:42","slug":"cryptoshuffler-bitcoin-stealer","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/cryptoshuffler-bitcoin-stealer\/9780\/","title":{"rendered":"CryptoShuffler: Trojan stole $140,000 in Bitcoin"},"content":{"rendered":"<p>Imagine that one day you decide to use Bitcoin to pay for, say, a pizza. You copy the wallet address from the pizzeria\u2019s website, enter the required amount, and click the Send button. The transfer goes through, but the pizza doesn\u2019t arrives. The pizzeria owners say they never received the payment. What\u2019s going on? Don\u2019t get mad at the pizza guys \u2014 it\u2019s all down to CryptoShuffler.<\/p>\n<p>Unlike <a target=\"_blank\" href=\"https:\/\/me-en.kaspersky.com\/blog\/bad-rabbit-ransomware\/9747\/\" rel=\"noopener noreferrer\">cryptoransomware<\/a>, this Trojan avoids flashy effects, instead doing its best to slip under the radar. It resides quietly in the computer\u2019s memory and monitors the clipboard \u2014 the temporary storage area for cut\/paste operations.<\/p>\n<p>As soon as CryptoShuffler spots the address of a cryptocurrency wallet on the clipboard (it\u2019s quite easy to distinguish these addresses by line length and specific characters), it replaces the address with another. As a result, the cryptocurrency transfer does indeed go through, and in the amount specified by the payer, only the recipient is not the pizzeria, but the intruders behind CryptoShuffler.<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/securelist.com\/tales-from-the-blockchain\/82971\/\" rel=\"noopener noreferrer\">Having studied the Trojan<\/a>, Kaspersky Lab discovered that the malware targets not only Bitcoin, but also Ethereum, Zcash, Monero, Dash, Dogecoin (yes, it\u2019s real), and other cryptocurrencies as well. Substituting Bitcoin wallets is the Trojan\u2019s most lucrative activity \u2014 at the time of publication the attackers had snagged slightly more than 23 BTC (about $140,000 at the current exchange rate).<a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/10\/31121829\/cryptoshuffler-bitcoin-stats.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/10\/31121829\/cryptoshuffler-bitcoin-stats-1024x181.png\" alt=\"\" width=\"1024\" height=\"181\" class=\"aligncenter size-large wp-image-19978\"><\/a><\/p>\n<p>The other cryptocurrency wallets belonging to CryptoShuffler\u2019s creators were found to contain sums ranging from tens to thousands of dollars.<\/p>\n<p>It took the Trojan a little more than a year to collect that money. Peak activity in late 2016 was followed by a slump, but then in June 2017, CryptoShuffler reawakened.<\/p>\n<p>This Trojan clearly demonstrates that an infected computer or smartphone will not necessarily slow down or display ransom messages. On the contrary, many kinds of malware try to keep a low profile and to operate as stealthily as possible; the longer they remain undetected, the more money they will make for their creators.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-banking\">\n<p>So our advice to all cryptocurrency users is to remain vigilant and get protected. Our products detect CryptoShuffler as Trojan-Banker.Win32.CryptoShuffler.gen, and, needless to say, block all its actions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The CryptoShuffler Trojan does its utmost to go unnoticed, stealing Bitcoins on the sly.<\/p>\n","protected":false},"author":40,"featured_media":9781,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[374,1505,1542,192,700,692],"class_list":{"0":"post-9780","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-bitcoin","9":"tag-cryptocurrencies","10":"tag-cryptoshuffler","11":"tag-protection","12":"tag-research","13":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cryptoshuffler-bitcoin-stealer\/9780\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cryptoshuffler-bitcoin-stealer\/11740\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cryptoshuffler-bitcoin-stealer\/13137\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cryptoshuffler-bitcoin-stealer\/12048\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cryptoshuffler-bitcoin-stealer\/11686\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cryptoshuffler-bitcoin-stealer\/14701\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cryptoshuffler-bitcoin-stealer\/14430\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cryptoshuffler-bitcoin-stealer\/19112\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/cryptoshuffler-bitcoin-stealer\/4367\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cryptoshuffler-bitcoin-stealer\/19976\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cryptoshuffler-bitcoin-stealer\/9732\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/cryptoshuffler-bitcoin-stealer\/8467\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cryptoshuffler-bitcoin-stealer\/15144\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/cryptoshuffler-bitcoin-stealer\/8792\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/cryptoshuffler-bitcoin-stealer\/18579\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cryptoshuffler-bitcoin-stealer\/19013\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cryptoshuffler-bitcoin-stealer\/19005\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/bitcoin\/","name":"bitcoin"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=9780"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9780\/revisions"}],"predecessor-version":[{"id":14796,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9780\/revisions\/14796"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/9781"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=9780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=9780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=9780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}