New Cryptocurrency Malware Hijacks Mining Addresses

Criminal activity revolving around cryptocurrency is nothing new. With people sneaking miners onto servers and scammers using the currency as a means of earning some cash, cryptocurrency has seen its fair share of malevolent activity. The latest attack to come from the cryptocurrency world aims to silently redirect payments made to the attacker instead of the intended recipient.

How Does It Work?

The malware was first found on torrents from The Pirate Bay. A few videos, such as a download for “The Girl in the Spiders Web,” contained a strange .LNK file loosely disguised as a video file. When the file was pried open to see what it does, people found a very sneaky piece of malware aimed at hijacking a user’s browsing experience.


It seemed pretty “harmless” at first – it checked to see if the user visited a specific webpage, then injected advertisements into the site to make revenue for the malware distributors. After a little more analysis, it was discovered it did a lot more than that – it tried to trick people into paying cryptocurrency into someone else’s wallet!

The Address Hijack

The malware had a few different methods of attack. One of them involved hijacking a Google search in order to put malicious results at the top. It also injected adverts onto Google to help make the developers a little extra cash.


When you go a little deeper into the code, you find some more worrying methods of attack. One of them specifically targets Wikipedia. When the user visits the site, the malware produces a fake donation request with links to a cryptocurrency wallet. The wallet link isn’t Wikipedia’s, however; it links to the malware developer’s wallet instead. Anyone who follows through with the request won’t be helping Wikipedia at all; they’ll just line the pockets of the people who developed this malware!


The attack goes one step further by automatically detecting when a BitCoin wallet link appears on a webpage. When it finds one, it silently replaces the link with one that redirects to the malware developer’s own wallet. If you’ve never seen a wallet link before, they’re seemingly-random strings of letters and numbers. Unless the user had prior knowledge of what the wallet link looked like, they’d have no reason to believe the link had been swapped from under their noses.

How to Beat It

Thankfully, this malware isn’t too hard to avoid. It depended on a user downloading a movie on The Pirate Bay, then opening a file that was given a similar file name to other movie files. Fortunately, a closer look at the file revealed it wasn’t a movie file at all; it was an .LNK, which is never used to play a movie. If users took the time to study the file they had downloaded, they would not have infected themselves with the malware.

This shows the importance of double-checking files before you download or run them, especially from illicit or untrusted sources. If a file “looks odd” or uses a different file type than you were expecting, exercise caution and ensure you know what you’re opening before you do so.

False Files

With this new cryptocurrency malware making the rounds, it reminds us how important it is to double-check the files we open from unknown sources. Now you know about this new malware and how it works.

Do you think cryptocurrency-based attacks will be 2019’s most prevalent kind of malware? Let us know below.

Image credit: Bleeping Computer

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.