‘Free Bitcoin’ Scam Propagated on YouTube Steals Crypto via Clipboard Hijacking

Published at: May 29, 2019

The Qulab information-stealing and clipboard hijacker trojan is being propagated on YouTube via fraudulent videos about an allegedly free bitcoin (BTC) generator, BleepingComputer reports on May 29.

According to the report, security researcher Frost reached out to BleepingComputer about the trojan scam, saying that YouTube would take down the fraudulent videos when reported, but new accounts and videos would subsequently pop up with the same MO.

The videos reportedly describe a tool that lets users earn free bitcoin, with a link in the video description. The links then direct to a download for the alleged tool, which is the Qulab trojan. After downloading, the trojan actually needs to be installed in order for it to be deployed.

In addition to attempting to steal a plethora of user information, the Qulab trojan will also reportedly attempt to sneakily steal cryptocurrency for the bad actor by scanning for strings copied to the Windows clipboard which the program recognizes as crypto addresses, and then substituting in the attacker’s address instead.

If a user pastes that string into a website field to specify where their funds are spent, they will paste in the attacker’s string instead and direct the funds there.

The warning indicates that this is a viable strategy, since users are reportedly unlikely to remember or visually register that their intended crypto address — a long string of characters — has been swapped out for a different one.

According to a report by Fumko, there is a long list of crypto addresses the trojan can recognize, including ones for bitcoin, bitcoin cash, cardano, ether, litecoin, monero, and more.

As previously reported by Cointelegraph, YouTube purportedly advertised malware disguised as an advertisement for bitcoin wallet Electrum in March. Reddit user mrsxeplatypus described the scam, predicated on URL hijacking, as follows:

“The malicious advertisement is disguised to look like a real Electrum advertisement [...] It even tells you to go to the correct link (electrum.org) in the video but when you click on the advertisement it immediately starts downloading the malicious EXE file. As you can see in the image, the URL it sent me to is elecktrum.org, not electrum.org.”

Tags
Related Posts
Israeli Citizen Accused of Stealing Over $1.7 Million in Crypto
Eliyahu Gigi, a 31-year-old from Tel Aviv, has been charged with stealing over $1.7 billion in a variety of cryptocurrencies. Gigi allegedly stole Bitcoin (BTC), Ethereum (ETH), and Dash (DASH) from users in the Netherlands, Belgium, and Germany. Lawyer Yeela Harel of the cyber department in the State Attorney's Office filed charges against Gigi on July 17, according to a report published the same day by Israeli business outlet Globes. Gigi has reportedly been charged with crimes including theft, fraud, and money laundering, among others. According to the report, Harel’s indictment claims that Gigi set up a network of scam …
Bitcoin / July 19, 2019
YouTube Reportedly Runs Malicious Ad for Bitcoin Wallet Electrum by Accident
Video-sharing platform YouTube purportedly ran a malicious advertisement for Bitcoin (BTC) wallet Electrum by mistake, according to a Reddit post published on March 26. Viewers interested in the advertisement were redirected to a malicious link using a common scamming method called typosquatting or URL hijacking. In the Reddit post, a user named mrsxeplatypus warned the public about the promotion of a malware version of Electrum, and described how the scam ad worked: “The malicious advertisement is disguised to look like a real Electrum advertisement [...] It even tells you to go to the correct link (electrum.org) in the video but …
Bitcoin / March 26, 2019
iPhone user blames Apple for $600K Bitcoin theft via fake app
A scam cryptocurrency app on Apple’s app distribution service App Store has reportedly stolen $600,000 Bitcoin (BTC) from one iOS user. Cryptocurrency holder Phillipe Christodoulou fell victim to a scam app on the App Store, losing nearly all his life savings to a fake crypto wallet application, The Washington Post reports Tuesday. Christodoulou went on the App Store last month to search for a mobile Trezor app to check his Bitcoin balance via phone. Unaware that Trezor does not currently provide an iOS app, Christodoulou downloaded a doppelgänger Trezor application that boasted close to five stars, giving the impression that …
Bitcoin / March 31, 2021
YouTube Scam Impersonates Ripple CEO Garlinghouse for Fake XRP Airdrop
Despite YouTube’s many aggressive actions against cryptocurrency-related content, the world’s most popular video-hosting website is apparently having trouble discovering a major scam account involving crypto. On March 23, the crypto community spotted a bogus YouTube account impersonating Brad Garlinghouse, CEO of major blockchain company Ripple, in order to promote a fake airdrop scam. Video containing fake XRP airdrop description was uploaded on YouTube on March 19 The apparent scam account has around 277,000 subscribers and contains only one video, which promotes a fake giveaway in the third-biggest cryptocurrency, XRP. Uploaded on YouTube on March 19, the video description promotes a …
Bitcoin / March 24, 2020
Europol Arrests Six People Allegedly Behind $27 Million Bitcoin Theft
Europol, in conjunction with the United Kingdom’s South West Regional Cyber Crime Unit, the Dutch police, Eurojust, and the U.K.’s National Crime Agency (NCA), has coordinated the arrests of six people suspected of stealing over $27 million in cryptocurrency, according to a press release on June 25. The attackers reportedly were involved in typosquatting, a fraudulent means to steal credentials by setting up a scam website with a similar name to an established one—hence the “typo” in “typosquatting”—and then recording login data. In this case, the report notes that Europol believes the hackers were able to use typosquatting to steal …
Bitcoin / June 25, 2019