Clipboard-injecting malware disguises itself as Tor browser, steals cryptocurrency

Clipboard-injecting malware disguises itself as Tor browser, steals cryptocurrency

Imagine you live in Russia and want to use the Tor browser to anonymise your browsing of the web.

There’s a problem. Many people in Russia find their access to the official Tor website is blocked by their ISP.

So, what do you do?

Well, you could try to find somewhere other than the official Tor website to download Tor from.

But is the version of Tor you downloaded from a torrent or third-party site trustworthy?

According to a report from Russian anti-virus outfit Kaspersky, perhaps not.

Sign up to our free newsletter.
Security news, advice, and tips.

Kaspersky boffins say that they have seen malware distributed as copies of Tor, which has stolen approximately US $400,000 worth of cryptocurrency from almost 16,000 users worldwide.

According to the researchers, boobytrapped installers offer Tor with a selection of regional language packs, including Russian.

Tor installer malware
Tor installer malware. Source: Kaspersky

Once installed, the malware snoops on your Windows clipboard.

If it sees in your clipboard what it believes to be an address for a cryptocurrency wallet, it replaces it with an address controller by the attacker.

The upshot is that you might think you are moving cryptocurrency into your own wallet, but in fact you’re putting it into the hands of a cybercriminal.


I was amused to see the team at Kaspersky suggest a simply method to check whether you system was compromised:

Type or copy the following “Bitcoin address” in Notepad: bc1heymalwarehowaboutyoureplacethisaddress

Now press Ctrl+C and Ctrl+V. If the address changes to something else — the system is likely compromised by a clipboard-injector type of malware, and is dangerous to use.

Clipboard injection
Malware changing the wallet address through clipboard injection. Source: Kaspersky

I don’t think I’d rely on that test alone to tell if my computer was compromised by the clipboard-injecting malware, but it’s an interesting thing to try.

If you’re in any doubt, it’s perhaps safest to always assume your computer is compromised.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.