Botnet steals half a million dollars in cryptocurrency from victims

The botnet uses a tactic called crypto clipping, which relies on malware to steal cryptocurrency during a transaction, says Check Point Research.

Image: iStock/bagotaj

Botnets are a popular tool used by cybercriminals to control a network of compromised machines for malicious purposes. And as botnets get more sophisticated, the level of damage they can inflict grows. A new botnet variant discovered by cyber threat intelligence provider Check Point Research employs a unique method to steal cryptocurrency from its victims.

SEE: Identity theft protection policy (TechRepublic Premium)

In a blog post published Thursday, Check Point said that it found a new variant of the Phorpiex botnet, famous for sextortion and crypto-jacking attacks. Known as Twizt, the variant has already stolen almost half a million dollars in cryptocurrency over a year, mostly from people in Ethiopia, Nigeria and India.

From November 2020 to November 2021, Phorpiex bots hijacked 969 cryptocurrency transactions, grabbing 3.64 Bitcoin ($179,000), 55.87 in Ethereum ($227,000), and $55,000 in ERC20 tokens. In its most profitable attack, the botnet snagged 26 in Ethereum ($105,000).

Once deployed, Twizt essentially acts on its own without any active command and control servers, which means the botnet can automatically widen its net by skirting past traditional security defenses. As a result of the botnet’s latest features, Check Point believes it may become even more stable and more dangerous.

Victims of Twizt by country

Image: Check Point Research

To prey on crypto currency traders during an actual transaction, Twizt uses a technique called “crypto clipping.” Here, the botnet employs malware that automatically replaces the intended wallet address with the address of the cybercriminal, so the funds are unknowingly hijacked.

“There are two main risks involved with the new variant of Phorpiex,” said Alexander Chailytko, cyber security research & innovation manager at Check Point Software. “First, Twizt is able to operate without any communication with C&C, therefore, it is easier to evade security mechanisms, such as firewalls, in order to do damage. Second, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, and Monero.”

Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Recommendations for cryptocurrency traders

Check Point warns that anyone who deals in cryptocurrency could be affected by Twizt. For that reason, Check Point offers the following tips for cryptocurrency traders:

Double-check the intended wallet address. When you copy and paste a crypto wallet address, confirm that the original and pasted addresses are the same.
Try a test transaction first. Before you send a large amount to someone in cryptocurrency, send a test transaction with a small amount to ensure that the money reaches the right person.
Stay updated. Make sure your operating system is updated with the latest security patches and don’t download software from unverified or unofficial sources.
Look beyond the ads. When searching for wallets or crypto trading and swapping platforms in the crypto space, look at the first actual website in the search results and not at any ads that pop up. Check Point discovered that scammers are using Google Ads to steal crypto wallets.
Scan the URLs. Always double-check the URLs involved in any cryptocurrency process or transaction.