{
	"id": "b824f7ea-6af9-4f87-b29b-41159b016f39",
	"created_at": "2026-04-06T00:10:22.793079Z",
	"updated_at": "2026-04-10T13:12:55.396641Z",
	"deleted_at": null,
	"sha1_hash": "b5f273de65776097fa1572ac7c716c80f5e461bc",
	"title": "Malware Families Help Hackers Steal and Mine Millions in Crypto - Chainalysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1045490,
	"plain_text": "Malware Families Help Hackers Steal and Mine Millions in Crypto\r\n- Chainalysis\r\nBy Chainalysis Team\r\nPublished: 2022-01-19 · Archived: 2026-04-05 15:47:27 UTC\r\nThis blog is a preview of our 2022 Crypto Crime Report. Sign up here to download your copy now!\r\nWhen it comes to cryptocurrency theft, industry observers tend to focus on attacks against large organizations —\r\nnamely hacks of cryptocurrency exchanges or ransomware attacks against critical infrastructure. But over the last\r\nfew years, we’ve observed hackers using malware to steal smaller amounts of cryptocurrency from individual\r\nusers. \r\nUsing malware to steal or extort cryptocurrency is nothing new. In fact, nearly all ransomware strains are initially\r\ndelivered to victims’ devices through malware, and many large-scale exchange hacks also involve malware. But\r\nthese attacks take careful planning and skill to pull off, as they’re typically targeted against deep-pocketed,\r\nprofessional organizations and, if successful, require hackers to launder large sums of cryptocurrency. With other\r\ntypes of malware, less sophisticated hackers can take a cheaper “spray-and-pray” approach, spamming millions of\r\npotential victims and stealing smaller amounts from each individual tricked into downloading the malware. Many\r\nof these malware strains are available for purchase on the darknet, making it even easier for less sophisticated\r\nhackers to deploy them against victims. \r\nWe’re equipping our partners in law enforcement, compliance, and cybersecurity to combat this problem by\r\nadding a new tag for malware operator addresses in all Chainalysis products. Below, we’ll examine trends in\r\nhackers’ usage of cryptocurrency-focused malware over the last decade and share two case studies to help you\r\nunderstand this under-discussed area of crypto crime.\r\nMalware and cryptocurrency summarized\r\nMalware refers to malicious software that carries out harmful activity on a victim’s device, usually without their\r\nknowledge. Malware-powered crime can be as simple as stealing information or money from victims, but can also\r\nbe much more complex and grand in scale. For instance, malware operators who have infected enough devices can\r\nuse those devices as a botnet, having them work in concert to carry out distributed denial-of-service (DDOS)\r\nattacks, commit ad fraud, or send spam emails to spread the malware further. \r\nThe malware families we discuss here are all used to steal cryptocurrency from victims, though some of them are\r\nused for other activities as well. The grid below breaks down the most common types of cryptocurrency-focused\r\nmalware families.\r\nType Description Example\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 1 of 12\n\nInfo stealers\r\nCollect saved credentials, files, autocomplete history, and cryptocurrency\r\nwallets from compromised computers.\r\nRedline\r\nClippers\r\nCan insert new text into the victim’s clipboard, replacing text the user has\r\ncopied. Hackers can use clippers to replace cryptocurrency addresses\r\ncopied into the clipboard with their own, allowing them to reroute\r\nplanned transactions to their own wallets.\r\nHackBoss\r\nCryptojackers\r\nMakes unauthorized use of victim device’s computing power to mine\r\ncryptocurrency.\r\nGlupteba\r\nTrojans\r\nVirus that looks like a legitimate program but infiltrates victim’s computer\r\nto disrupt operations, steal, or cause other types of harm.\r\nMekotio\r\nbanking\r\ntrojan\r\nMany of the malware families described above are available to purchase for relatively little money on\r\ncybercriminal forums. For instance, the screenshots below show an advertisement for Redline, an info stealer\r\nmalware, posted on a Russian cybercrime forum.\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 2 of 12\n\nThe seller offers cybercriminals one month of Redline access for $150 and lifetime access for $800. Buyers also\r\nget access to Spectrum Crypt Service, a Telegram-based tool that allows cybercriminals to encrypt Redline so that\r\nit’s more difficult for victims’ antivirus software to detect it once it’s been downloaded. The proliferation of cheap\r\naccess to malware families like Redline means that even relatively low-skilled cybercriminals can use them to\r\nsteal cryptocurrency. Law enforcement and compliance teams must keep this in mind, and understand that the\r\nmalware attacks they investigate aren’t necessarily carried out by the administrators of the malware family itself,\r\nbut instead are often carried out by smaller groups renting access to the malware family, similar to ransomware\r\naffiliates. \r\nThe graph below shows the number of victim transfers to cryptocurrency addresses associated with a sample of\r\nmalware families in the info stealer and clipper categories investigated by Chainalysis.\r\nNote: This graph does not reflect activity by cryptojackers or ransomware.\r\nOverall, the malware families in this sample have received 5,574 transfers from victims in 2021, up from 5,447 in\r\n2020. \r\nWhich malware families were most active?\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 3 of 12\n\nNote: This graph does not reflect activity by cryptojackers or ransomware.\r\nCryptbot, an infostealer that takes victims’ cryptocurrency wallet and account credentials, was the most prolific\r\nmalware family in the group, raking in almost half a million dollars in pilfered Bitcoin. Another prolific family is\r\nQuilClipper, a clipboard stealer or “clipper,” ranked eighth on the graph above. Clippers can be used to insert new\r\ntext into the “clipboard” that holds text a user has copied, usually with the intent to paste elsewhere. Clippers\r\ntypically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to\r\nsend funds — the clipper malware effectively hijacks the transaction by then substituting an address controlled by\r\nthe hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker. \r\nHowever, none of those numbers reflect totals from what we believe to be the most prolific type of\r\ncryptocurrency-focused malware: Cryptojackers. \r\nCryptojacker activity is murky but substantial\r\nCryptojackers obtain funds for malware operators by utilizing the victim’s computing power to mine\r\ncryptocurrency — usually Monero, but we’ve seen Zcash and Ethereum mined as well. Since funds are moving\r\ndirectly from the mempool to mining addresses unknown to us, rather than from the victim’s wallet to a new\r\nwallet, it’s more difficult to passively collect data on cryptojacking activity the way we can other forms of\r\ncryptocurrency-based crime. However, we know it’s a big problem. In 2020, Cisco’s cloud security division\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 4 of 12\n\nreported that cryptojacking malware affected 69% of its clients, which would translate to an incredible amount of\r\nstolen computer power, and therefore a significant amount of illicitly-mined cryptocurrency. A 2018 report from\r\nPalo Alto Networks estimated that 5% of all Monero in circulation was mined by cryptojackers, which would\r\nrepresent over $100 million in revenue, making cryptojackers the most prolific form of cryptocurrency-focused\r\nmalware. \r\nThese numbers are likely only scratching the surface for cryptojacking. As we identify more malware families\r\ninvolved in this activity, we expect to learn that total revenue for the category is even bigger than it currently\r\nappears. \r\nMalware and money laundering\r\nThe vast majority of malware operators receive initial victim payments at private wallet addresses, though a few\r\nuse addresses hosted by larger services. Of that smaller group, the majority use addresses hosted by exchanges —\r\nmostly high-risk exchanges that have low or no KYC (Know Your Customer) requirements.\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 5 of 12\n\nAfter receiving cryptocurrency from victims, malware operators then send the majority of funds on to addresses at\r\ncentralized exchanges.\r\nHowever, that majority is slim and getting slimmer. Exchanges only received 54% of funds sent from malware\r\naddresses in 2021, down from 75% in 2020. DeFi protocols make up much of the difference at 20% in 2021, after\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 6 of 12\n\nhaving received a negligible share of malware funds in 2020. Illicit services seemingly unrelated to malware —\r\nmostly darknet markets — are also a significant money laundering avenue for malware operators, having received\r\nroughly 15% of all funds sent from malware addresses in 2021. \r\nMalware-based cryptocurrency theft is difficult to investigate in part due to the large number of less sophisticated\r\ncybercriminals who can rent access to these malware families. But studying how cybercriminals launder stolen\r\ncryptocurrency may be investigators’ best bet for finding those involved. Using blockchain analysis, investigators\r\ncan follow the funds, find the deposit addresses cybercriminals use to cash out, and subpoena the services hosting\r\nthose addresses to identify the attackers. \r\nInvestigating the HackBoss clipper\r\nAccording to Chainalysis data, the HackBoss clipper stole over $80,000 worth of cryptocurrency throughout 2021.\r\nSince 2012, HackBoss has been the most prolific clipper malware overall, having taken over $560,000 from\r\nvictims in assets like Bitcoin, Ethereum, Ripple, and more.\r\nInterestingly, HackBoss is targeted at fellow hackers rather than what we think of as ordinary victims. According\r\nto reporting from Avast.io’s Decoded, HackBoss is distributed through a Telegram channel that purports to provide\r\nhacking tools such as social media site crackers. However, instead of those tools, the channel’s users are actually\r\ndownloading the HackBoss clipper, which steals cryptocurrency from them by inserting its own addresses into the\r\nclipboard when victims attempt to copy and paste another address to carry out a cryptocurrency transaction.\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 7 of 12\n\nThe Chainalysis Reactor graph above shows HackBoss receiving cryptocurrency from victims on the left. From\r\nthere, the malware operators move funds to deposit addresses hosted by high-risk exchanges.\r\nWhile HackBoss is uniquely targeted at hackers attempting to download tools to carry out their own cybercrimes,\r\nmost other clippers are targeted at ordinary cryptocurrency users. It’s extremely difficult to know if one has fallen\r\nvictim to a clipper until a transaction has been hijacked given how long and complex cryptocurrency addresses are\r\n— most people don’t read through the recipient’s entire address between pasting it into their wallet and sending a\r\ntransaction. However, that may be necessary for users trying to be as careful as possible. At the very least,\r\ncryptocurrency users need to be vigilant about what links they click and programs they download, as there are\r\nseveral active malware strains — not just clippers, but others too — attempting to steal their funds.\r\nCase study: Glupteba botnet hijacks computers to mine Monero and harnesses the\r\nBitcoin blockchain to evade shutdown\r\nA complaint filed by Google in late 2021 named multiple Russian nationals and entities alleged to be responsible\r\nfor operating the Glupteba botnet, which has compromised over 1 million machines. Glupteba’s operators have\r\nused these machines for several criminal schemes, including utilizing their computing power to mine\r\ncryptocurrency — specifically, in this case, Monero — in a practice known as cryptojacking. \r\nPerhaps most notable is Glupteba’s use of the Bitcoin blockchain to withstand attempts to take it offline, encoding\r\nupdated command-and-control servers (C2) into the Op_Returns of Bitcoin transactions. Google used Chainalysis\r\nsoftware and Chainalysis Investigative Services to analyze the Bitcoin addresses and transactions responsible for\r\nsending updated C2 instructions.  Below, we’ll break down how the Glupteba botnet uses the Bitcoin blockchain\r\nto defend itself and what it means for cybersecurity and law enforcement.\r\nA primer on the Glupteba botnet\r\nThe cybercriminals behind the Glupteba botnet have used it to carry out a variety of criminal schemes. In addition\r\nto cryptojacking, the botnet has been used to acquire and sell Google account information stolen from infected\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 8 of 12\n\nmachines, commit digital advertising fraud, and sell stolen credit card data. \r\nGoogle was able to identify the individuals named in the complaint by obtaining and examining an IP address\r\nused by one of Glupteba’s C2 servers.  All individuals were also listed as owners or administrators of shell\r\ncompanies connected to Glupteba-related crimes, such as one used to sell fraudulent digital advertising\r\nimpressions supplied by the botnet. Google was able to successfully take down the current C2 server, however as\r\nGlupteba has proven to be infallible against these actions through it’s blockchain failsafe, we will soon see a new\r\nC2 assigned.\r\nHow Glupteba weaponizes the blockchain\r\nIn order to direct botnets, cybercriminals rely on command-and-control (C2) servers, which allow them to send\r\ncommands to machines infected with malware. Botnets look for domain addresses controlled by their C2 servers\r\nin order to receive instructions, with directions on where to look for those domain addresses hard coded into the\r\nmalware itself. \r\nIn order to combat botnets, law enforcement and cybersecurity professionals try to take those domains offline so\r\nthat the botnets can no longer receive instructions from the C2 server. In response, botnet operators typically set\r\nup a number of backup domains in case the active domain is taken down. Most malware algorithmically generates\r\nnew domain addresses for botnets to scan until they find one of those backups, allowing them to receive new\r\ninstructions from the C2 server.\r\nHowever, Glupteba does something new. When its C2 server is disrupted, Glupteba is programmed to search the\r\nBitcoin blockchain for transactions carried out by three addresses controlled by its operators. Those addresses\r\ncarry out transactions of little or no monetary value, with encrypted data written into the transaction’s Op_Return\r\nfield, which is used to mark transactions as invalid. Glupteba malware can then decode the data entered into the\r\nOp_Return field to obtain the domain address of a new C2 server. \r\nIn other words, whenever one of Glupteba’s C2 servers is shut down, it can simply scan the blockchain to find the\r\nnew C2 server domain address, hidden amongst hundreds of thousands of daily transactions. This tactic makes the\r\nGlupteba botnet extremely difficult to disrupt through conventional cybersecurity techniques focused on disabling\r\nC2 server domains. This is the first known case of a botnet using this approach. \r\nHere’s what we know about the three Bitcoin addresses we’ve identified as being used by Glupteba’s operators to\r\nkeep the botnet online:\r\nAddress Dates active\r\nNumber of\r\ntransfers\r\nNumber of\r\nOp_Returns\r\n15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6\r\n6/17/2019 –\r\n5/13/2020\r\n32 8\r\n1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1\r\n4/8/2020 –\r\n10/19/2021\r\n16 6\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 9 of 12\n\n1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97\r\n10/13/21 –\r\npresent\r\n18 6\r\nCombined, the three addresses have only transacted a few hundred dollars’ worth of Bitcoin, but the messages\r\nencoded into the Op_Returns on some of those transactions have helped the Glupteba botnet remain operational.\r\nLet’s look more closely at address 157d… in Chainalysis Reactor as an example.\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 10 of 12\n\nWe see that the Glupteba address received its initial funding from a mixing service, before initiating the invalid\r\ntransactions with Op_Returns we see at the top of the graph. The funds associated with those invalid transactions\r\nthen travel to the refund wallets on the right, and eventually back to the original Glupteba address. The other two\r\naddresses show similar transaction patterns. Google identified the three Glupteba addresses and brought them to\r\nChainalysis, at which point our investigators were able to decode the data contained in the Op_Returns’ message\r\nfields, allowing them to discover the new C2 server domain addresses being sent to the botnet. \r\nLike address 15y7d…, address 1CgPC… was initially funded through outputs from mixing transactions. However,\r\nthe third address, 1Cuha…, received initial funding from another private wallet address:\r\nbc1qhjuvzwcv0pp68kn2sqvx3d2k3pqfllv3c4vywd.\r\nInterestingly, other transactions sent by bc1qh… have been associated with Federation Tower, a luxury office\r\nbuilding in Moscow that also housed Suex, a now-sanctioned cryptocurrency OTC broker involved in money\r\nlaundering for several forms of cybercrime, including ransomware. Reporting from Bloomberg and The New York\r\nTimes discusses other cryptocurrency businesses headquartered in Federation Tower, including EggChange, an\r\nexchange that’s also been linked to cybercrime and whose founder, Denis Dubnikov, was arrested by U.S.\r\nauthorities in November 2021. These links raise more questions about the interconnectedness of illicit, Russia-based cryptocurrency businesses associated with malware and ransomware attacks. \r\nGlupteba shows why all cybersecurity teams need to understand cryptocurrency and blockchain\r\nanalysis\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 11 of 12\n\nGlupteba’s blockchain-based method of avoiding the shutdown of its botnet represents a never-before-seen threat\r\nvector for cryptocurrencies. In the private sector, cryptocurrency businesses and financial institutions have thus far\r\ntypically been the ones tackling cases involved in blockchain analysis, usually from an AML/CFT compliance\r\nperspective. But this case shows that cybersecurity teams at virtually any company that could be a target for\r\ncybercriminals — especially those possessing large amounts of sensitive customer data — must be well-versed in\r\ncryptocurrency and blockchain analysis in order to stay ahead of cybercriminals. At Chainalysis, we’re eager to\r\nwork with those teams to help them understand how our tools can assist them in diagnosing and fighting these\r\nthreats, so that cryptocurrencies can’t be weaponized against them or their users. \r\nThe convergence of malware and cryptocurrency: Same cybercriminals, new\r\nmethods\r\nThe cybersecurity industry has been dealing with malware for years, but the usage of these malicious programs to\r\nsteal cryptocurrency means cybersecurity teams need new tools in their toolbox. Chainalysis gives cybersecurity\r\nteams new avenues of investigation for malware, allowing them to take advantage of blockchains’ transparency\r\nand track the movement of funds that have been stolen until they reach an address whose owner can be identified.\r\nLikewise, cryptocurrency compliance teams already well-versed in blockchain analysis must educate themselves\r\non malware in order to ensure these threat actors aren’t taking advantage of their platforms to launder stolen\r\ncryptocurrency.\r\nThis blog is a preview of our 2022 Crypto Crime Report. Sign up here to download your copy now!\r\nThis material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment\r\nadvice. Recipients should consult their own advisors before making investment decisions. \r\nThis website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates\r\n(collectively “Chainalysis”). Access to such information does not imply association with, endorsement of,\r\napproval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for\r\nthe products, services, or other content hosted therein. \r\nChainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the\r\ninformation in this report and will not be responsible for any claim attributable to errors, omissions, or other\r\ninaccuracies of any part of such material.\r\nSource: https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nhttps://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/\r\nPage 12 of 12\n\ncentralized exchanges. However, that majority is slim and getting slimmer. Exchanges only received 54% of funds sent from malware \naddresses in 2021, down from 75% in 2020. DeFi protocols make up much of the difference at 20% in 2021, after\n   Page 6 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/"
	],
	"report_names": [
		"2022-crypto-crime-report-preview-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434222,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5f273de65776097fa1572ac7c716c80f5e461bc.pdf",
		"text": "https://archive.orkl.eu/b5f273de65776097fa1572ac7c716c80f5e461bc.txt",
		"img": "https://archive.orkl.eu/b5f273de65776097fa1572ac7c716c80f5e461bc.jpg"
	}
}