Main Page > Blog >


AMLT Crypto Alert of the Week - The Evolution of Crypto Ransom/Malware

Nov 16, 2018

About Us

Recognized as a global leader in RegTech for blockchain, Coinfirm serves as a foundation for the safe adoption and use of blockchain. The Coinfirm AML/CTF Platform uses proprietary algorithms and big data analysis to provide structured, actionable data that solves compliance and transaction risk issues in blockchain and cryptocurrencies. The blockchain agnostic platform is currently used by anyone ranging from major financial institutions to exchanges. In addition, Coinfirm develops dedicated blockchain solutions such as the data provenance platform Trudatum that was recently integrated by the largest bank in CE.

Follow Us


Welcome to week 14 of the Crypto Alert of the Week series by AMLT, a series dedicated to documenting interesting or high profile frauds/hacks etc that recently happened and have been reported into the AMLT Network and show how the AMLT Network can help track and prevent it in the future.

As the cryptocurrency space evolves, so do various attack angles that hackers use in order to get a hold of people’s coins. Today we take a look at some evolving cases.

Generally speaking, there are 3 popular attack angles. The first one being ransomware, a program that encrypts your files and demands a ransom to be paid (usually in Bitcoin) in order to decrypt and bring everything back. A popular example that comes to mind was the notorious WannaCry having its peak in 2017, still infecting many computers to this day.

Second off, we have attacks at our files, scanning them and looking for any cryptocurrency keys that can be stolen. Third one is malicious mining, done undercover, costing people a lot in electricity bills and lost PC performance. A famous example of that would be the Coinhive monero mining botnet.

But what if a specific malicious program could do more than one of these actions depending on their profitability? Here’s where the infamous “Rakhni Trojan” comes in. First seen in 2013, this notorious and most likely of Russian origin virus has recently added a new weapon to its arsenal. What started as a ransomware has now evolved and turned into a multi-purpose virus. Usually seen in spam campaigns, the virus infects PCs disguised as PDF reading software with forged digital certificates.

Right after successfully gaining access, it begins a scan, looking for any cryptocurrency related files and folders. If it finds what it’s looking for, it starts running the ransomware part, encrypting private files and demanding payment in bitcoin, of which details are to be sent via an email. In the case of not finding any cryptocurrency files, the virus instead checks the computers hardware and determines if it is capable of mining. If so, it downloads a mining software that mines either Monero, DASH or sometimes another Cryptocurrency in the background.

These kinds of attacks are incredibly hard to track, as the malware producers tend to prefer privacy-focused cryptocurrencies.

Another pretty notorious piece of malware would be the Bitclip virus. It’s yet another, well known clipboard changer. It detects any cryptocurrency address stored in your computer clipboard and changes it to its own address. As simple as it may sound, it has actually stolen a whole lot of coins while remaining widely undetected due to people not really realizing that the addresses were being constantly replaced.

One of these malware addresses has been recently reported to the AMLT Network and marked as an address belonging to a hacker.

See here how you can report and get rewarded for submitting data into the AMLT Network and help make the cryptoeconomy a more transparent and safer one. Once reported into the Network and verified by our data team the risk reports for these addresses reflect the appropriate flag and elevated risk rating as well as behavioral profile.

Check out the AML Risk Report generated for the Bitclip malware below:

If you're interested in partnering with Coinfirm or becoming an AMLT Network Member then contact us!

Thank you for your continued support and make sure to follow all of our latest updates on Twitter, Facebook, LinkedIn and Telegram Community.

The AMLT Team