'Less sophisticated' malware is stealing millions: Chainalysis

Cryptojacking accounted for 73% of the total value received by malware related addresses between 2017 and 2021, according to a new malware report from blockchain analysis firm Chainalysis.

Malware is used to conduct nefarious activity on a victim’s device such as a smartphone or PC after being downloaded without the victim’s knowledge. Malware-powered crime can be anything from information-stealing to denial-of-service (DDoS) attacks or ad fraud on a grand scale.

The report excluded ransomware, which involves an initial use of hacks and malware to leverage ransom payments from vicitms in order to halt the attacks. Chainalysis stated:

“While most tend to focus on high-profile ransomware attacks against big corporations and government agencies, cybercriminals are using less sophisticated types of malware to steal millions in cryptocurrency from individual holders.”

Chainalysis’ Jan. 19 report focuses on the various types of crypto-malware, excluding ransomware, used over the last decade such as info stealers, clippers, cryptojackers and trojans, noting that they are generally cheap to acquire and even “low-skilled cybercriminals” can use them to siphon funds from their victims.

Cryptojacking tops the list of value received via malware at 73%, Trojans were ranked second at 19%, ‘Others’ totalled 5% while information stealers and clippers represented a mere 1% each.

According to Chainalysis, malware addresses send the “majority of funds on to addresses at centralized exchanges,” but note that figure is declining. As of 2021, exchanges only received 54% of funds from those addresses compared to 75% in 2020 and around 90% in 2019.

“DeFi protocols make up much of the difference at 20% in 2021, after having received a negligible share of malware funds in 2020.”

The report looked at the prolific Hackboss clipper that has stolen around $560,000 since 2012 by infecting user's clipboards to steal and replace information. It found that the “Cryptobot” infostealer was significant source source of ill-gotten gains in 2021, generating $500,000 worth of Bitcoin (BTC) from around 2,000 transactions.

Cryptojacking

Cryptojacking malware utilizes the victim’s computing power to mine various cryptocurrencies, with the target asset of choice “usually Monero” but Zcash (ZEC) and Ethereum (ETH) are sometimes also mined.

Chainalysis notes that a specific amount generated by this method is hard to pin down as the funds are transferred from mempools to unknown mining addresses as opposed to “the victim’s wallet to a new wallet” in other cases.

Despite being unable to provide an estimated monetary figure on the harm caused by cryptojackers, Chainalysis projects this malware type to account for almost three quarters of the total value generated by crypto-malware.

The report noted a 2020 report from Cisco’s cloud security division stated that cryptojacking affected 69% of its clients, thus translating to an “incredible amount of stolen computer power” used to mine large amounts of crypto.

It also highlighted a 2018 report from Palo Alto Networks which estimated that 5% of Monero’s circulating supply was mined by cryptojackers, estimated to be worth around $100 million in ill-gotten revenue.

Related: Crypto.com breach may be worth up to $33M, suggests onchain analyst

Info Stealer and clippers

Info stealers are used to swipe the victim’s crypto wallet info and account credentials, while clippers can be used to insert a specific text into the victim’s clipboard.

Clipper malware is often used to hijack the victim's outgoing transactions by inserting the cybercriminal’s wallet address when victims attempt to paste a sending address.

The report noted that these two types of malware received a combined 5,974 transfers from victims in 2021, up from 5,449 in the year prior.

Illicit crypto usage as a percent of total usage has fallen: Report   June 14, 2022
Expert Warns: Don’t Trust Ransomware Groups Amid Pandemic   April 16, 2020
Coin Bureau Youtube channel hacked despite 2FA protection   Jan. 24, 2022
Crypto app targeting SharkBot malware resurfaces on Google app store   Sept. 5, 2022
Hope Finance exploit results in $2M stolen from users' funds   Feb. 21, 2023