A Reddit user posted on r/Ethereum this week describing malware that intercepts Ethereum addresses during copy-paste operations on Windows machines. The r/Ethereum community has grown to over 131,000
A Reddit user posted on r/Ethereum this week describing malware that intercepts Ethereum addresses during copy-paste operations on Windows machines. The r/Ethereum community has grown to over 131,000 members, making it the largest forum dedicated to the cryptocurrency. The discovery echoes a similar threat that emerged years earlier targeting Bitcoin users.
Symantec researchers identified a trojan called Trojan.Coinbitclip in February 2016. The trojan intercepted Bitcoin addresses from users' clipboards and replaced them with addresses controlled by the attackers. Hackers spread the trojan via phishing emails and standard malware distribution channels, redirecting payments meant for legitimate wallets to addresses they controlled.
"Trojan.Coinbitclip is a Trojan horse that replaces Bitcoin addresses saved to the clipboard with ones supplied by the Trojan," Symantec said at the time.
The sophistication of the attack lay in how the trojan matched addresses. The malware stored approximately 10,000 Bitcoin addresses in its code. When users copied an address, the trojan scanned its pool to find the closest match to the address being pasted, making the substitution far less obvious than a random swap. Bitcoin journalist Luke Parker detailed the mechanism: "This clever little invader carries with it a large list of bitcoin addresses and chooses the closest match when making the switch, making it harder to spot the switch. In the sample Symantec observed, there were 10,000 Bitcoin addresses stored in the code. The end result is that copying and pasting a payment address can easily trick you into sending your coins to the malware's creator."
The Ethereum variant emerged when a user named Apneal attempted to deposit cryptocurrency from an exchange. Apneal sent 0.01 Ether from an exchange to a personal wallet address but noticed something wrong. The receiving address had no incoming transaction. Apneal verified the transaction on Etherscan, the public blockchain explorer, and confirmed it had broadcast to the network. But when Apneal checked the actual destination address, the Ether had disappeared. The funds had gone to a different wallet.
Suspecting a local problem, Apneal ran a series of tests to isolate the issue. The results pointed to malware on the machine: "Copy the address from MyEtherWallet, paste into notepad. It changed it right on the spot. Maybe I didn't copy right? Copy paste again, same address. Maybe my clipboard isn't flushing? Copy other text on the screen and paste, that works, copy address again and paste, that same different address appears. Something funky with MyEtherWallet? Open up Firefox, go to my wallet, copy-paste. That works fine. This is on my end."
Cleaning an infection of this type requires more than running antivirus software. Once the malware embeds itself on a system, traditional antivirus approaches rarely eliminate it. Members of the Ethereum community advised Apneal and other victims to format all connected drives and perform a Windows reinstallation, wiping the system and starting from scratch.
