New Malware Steals Cryptocurrency by Lifting from Your Clipboard

For decades the clipboard has been an everyday occurrence of the computing experience, whether being used on Windows, Mac, or Linux. But now attackers have found their way to your clipboard so that they can insert malware that will steal your cryptocurrency.

This will make you think twice the next time you copy and paste sensitive information, especially cryptocurrency. The new use for malware will replace the address of your cryptocurrency transaction with the address of the attacker’s wallet.

The Crime

The ComboJack malware works on multiple currencies by relying on you not checking the wallet you’re sending your transaction to. There are many existing spam emails that were used to distribute the malware, and the shear number of emails shows that the attackers are being successful with their endeavor.

But don’t think you’re safe just because you don’t use Bitcoin, as non-cryptocurrency digital payment systems, such as WebMoney and Yandex Money, are being targeted as well.


Researchers at Palo Alto Networks happened onto this malware campaign while watching an email phishing campaign that was targeting users in both America and Japan.

The emails don’t use the victims’ names yet claim a passport has been misplaced, instructing the reader of the email to open a document that contains a scanned version of it to “check if you know the owner.”

Once the email recipient opens the file, they’re told to allow an embedded file to run so that they can view the document. If they follow along and allow the file to run, it will enable an embedded RTF file to inject code and run PowerShell commands that will be used to download ComboJack and execute it.

ComboJack will then get to work using the built-in Windows tool, attrib.exe, and that will allow it to hide itself from the email recipient and also execute processes that have high-level privileges.

It will then start a loop where it will check the clipboard content every half second to see if the user has copied information about cryptocurrencies. If it finds that, it will replace the present address with an address connected to the attacker, hoping the victim won’t notice.

Beyond this Exploitation


Beyond an organization trying to steal cryptocurrency, it certainly means that anything could potentially be stolen from your clipboard. And many of us use the clipboard function for many things.

The question is if you use the clipboard function for anything that would be potentially harmful if it was stolen, such as passwords. Sometimes passwords are emailed to you to set up an account, and they can be so long and filled with numbers and letters that the easiest solution is to copy and paste them.

Of course, it would require someone to be sitting on the other end constantly checking your clipboard for password information and to know where it will go, so it’s quite a stretch. But now we know that this could potentially happen.

The important thing to know is that the clipboard is a vulnerability, so it’s best to keep that in mind when you’re copying and pasting.

Possible Solutions

This particular vulnerability was patched by Microsoft last September, so the first line of defense is to keep your operating system up to date. Additionally, you need to be careful of emails from unknown organizations that ask you to download attachments. Hopefully, these are things you’re already doing anyway.

Is this type of vulnerability something you’re worried about? Would you have ever imagined that your clipboard could be exploited? Let us know your thoughts on this in the comments.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. “But now attackers have found their way to your clipboard so that they can insert malware that will steal your cryptocurrency.”
    You explicitly describe how the process works on Windows. You never say anything about Mac or Linux. Is Combojack designed to access the clipboard on Mac and Linux?

  2. No it is not. It requires an executable file, and Macs don’t run executable files. It seems to be written for Windows, and Windows executables don’t run well on Linux. So I would say it is not designed to access the clipboard on Mac and Linux

  3. I wasn’t worried about it. From the minute I saw “attrib.exe” I knew this wouldn’t hurt my OpenSuSE desktop. Not to mention, I don’t have ANY digital currency accounts, nor do I think I’ll EVER have ’em. To me?…its a stupid premise. To take my hard earned money….buy all manner of supercomputers just to “mine” for something that can be worth 5K – 15K today….and then be valued at $50.00 – $500 the next. No thanks. But the kicker for me is the “unregulated” part. People were so intent on “bucking the system” and sticking it to “the man”,…that they didn’t consider the other side of the coin…(forgive the pun!) But with no regulation, there’s nothing that says the currency should be valued at a certain amount. This mysterious creator of Bitcoin just left it up to the masses to regulate themselves….and as we can see by all the crypto-robbery….there’s no honor amongst thieves……so I will keep my money in my bank…and my coffee can….and the newbies and millennials who have money to waste?….can chase this fool’s gold! LoL!

Comments are closed.