Home Web3 Security Top 10 Malware Which Targeted Crypto Users

Top 10 Malware Which Targeted Crypto Users

by ImmuneBytes
Top 10 Malware Which Targeted Crypto Users


Cryptocurrencies have become a popular target for hackers and cybercriminals in recent years, and it’s not hard to see why. With the rise of cryptocurrencies like Bitcoin, Ethereum, and Ripple, more and more people are investing in digital currencies, making them a lucrative target for cybercriminals looking to steal digital assets.

Malware is one of the most popular ways that hackers can gain access to users’ cryptocurrency wallets and steal their digital assets. In this blog post, we’ll explore the top 10 malware that have targeted crypto users in recent years.


TrickBot is a modular banking Trojan that has been around since 2016. 

It was initially designed to steal banking credentials, but it has since evolved to include cryptocurrency wallets as a target. TrickBot is usually distributed via phishing emails, and it can infect a user’s computer without them even realizing it.

The many tricks this Trojan has done since its discovery in 2016 are attributed to the creativity and agility of its developers.

On top of stealing, TrickBot has been given capabilities to move laterally and gain a foothold within an affected network using exploits, propagate copies of itself via Server Message Block (SMB) shares, drop other malware like Ryuk ransomware, and scout for documents and media files on infected host machines.

As a highly modular malware, it can adapt to any environment or network it finds itself in.


Emotet is another banking Trojan that has been around for a while. It was first discovered in 2014, but it has continued to evolve and become more dangerous over the years. 

Like TrickBot, Emotet is usually distributed via phishing emails, and it can steal a user’s cryptocurrency wallet information.

Emotet spreads mainly through spam emails. The respective email contains a malicious link or an infected document.

If you download the document or open the link, further malware is automatically downloaded onto your computer. These emails were created to look very authentic, and many people have fallen victim to Emotet.

Many of the victims of Emotet are often blackmailed to pay ransom in order to get the data back. Unfortunately, there is no solution that provides 100% protection against an infection by Emotet. However, there are several measures that can be taken to reduce the risk of an infection.

CryptoLocker and CryptoLocker 2.0

CryptoLocker is a ransomware that was first discovered in 2013. It works by encrypting a user’s files and demanding a ransom in exchange for the decryption key. While CryptoLocker doesn’t specifically target cryptocurrency wallets, it can still be dangerous for crypto users who have important files stored on their computers.

The primary means of infection is phishing emails with malicious attachments. These emails are designed to mimic the look of legitimate businesses and phony FedEx and UPS tracking notices.

Cryptolocker can cause serious damage to personal and business computers. By always creating a physically separate backup of critical files, regularly running antivirus scans, and avoiding unknown email attachments, you can minimize the chance of infection.

CryptoLocker 2.0 is a newer version of the original CryptoLocker ransomware. It works the same way as the original, encrypting a user’s files and demanding a ransom in exchange for the decryption key. However, CryptoLocker 2.0 targets cryptocurrency wallets and can steal a victim’s digital assets.

CryptoLocker 2.0 is the second version of CryptoLocker, a particularly nasty ransomware virus that has infected over 200,000 computer systems.  CryptoLocker 2.0 uses a 1024-bit RSA key pair uploaded to a command-and-control server, which it used to encrypt or lock files with certain extensions and delete the originals.

Once files are locked, Cryptolocker 2.0 then threatens to delete the private key needed to unlock the files if payment is not received within three days. Some experts believe that CyrptoLocker 2.0 is not an extension of the CryptoLocker ransomware but may be a copycat. They speculate that the new strand is simply using CryptoLocker as a base. 

Cryptolocker 2.0 demanded that the payments were to be made in the form of Bitcoins. If its demands were not met in three days, victims would usually be given a second opportunity to pay a much higher ransom to get their files back.

There isn’t a person on earth that would want a virus on their computer, but there are particularly nasty ones that many dread. CyrptoLocker is one of them. The latest CryptoLocker is just as malicious as its predecessor, if not worse.


WannaCry is another ransomware that made headlines in 2017. It infected hundreds of thousands of computers around the world and demanded a ransom in Bitcoin in exchange for the decryption key. 

While WannaCry doesn’t specifically target cryptocurrency wallets, it can still be a threat to crypto users who have important files stored on their computers.

After infecting a Windows computer, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in Bitcoin in order to decrypt them.

WannaCry exploded across the internet on May 12, 2017, taking advantage of EternalBlue, but Symantec’s initial blog post on WannaCry’s origins also revealed some important and little-known information about how the malware got started even before that. WannaCry had, in fact, been circulating for months before it became impossible to avoid. 


CoinMiner is a type of malware that is designed to mine cryptocurrencies on a victim’s computer without their knowledge or consent. It can slow down a user’s computer and use up their processing power, which can be costly in terms of electricity bills. CoinMiner is usually distributed via phishing emails or malicious websites.

When intentionally run for one’s own benefit, they may prove a valuable source of income. However, malware authors have created threats and viruses that use commonly-available mining software to take advantage of someone else’s computing resources (CPU, GPU, RAM, network bandwidth, and power), without their knowledge or consent (a.k.a cryptojacking).

There are many different ways to force a computer or device to mine cryptocurrency. These are the three main types of miners:

  1. Executables: These are typical malicious or Potentially Unwanted Application (PUA)  executable files (.exe) placed on the computer and designed to mine cryptocurrencies.
  2. Browser-based Cryptocurrency Miners: These JavaScript (or similar technology) miners perform their work in an Internet browser, consuming resources for as long as the browser remains open on the website. Some miners are used intentionally by the website owner in place of running ads (e.g., Coinhive), while others have been injected into legitimate websites without the website owner’s knowledge or consent.
  3. Advanced Fileless Miners: Malware has emerged that performs its mining work in a computer’s memory by misusing legitimate tools like PowerShell. One example is MSH.Bluwimps, which carries out additional malicious acts in addition to mining.


CryptoShuffler is a type of malware that is designed to steal cryptocurrency wallet information. It works by replacing a user’s cryptocurrency wallet address with the hacker’s wallet address when they try to make a transaction. This means that the victim’s digital assets are transferred directly to the hacker’s wallet.

Once the Cryptoshuffler code has been deposited in the user’s computer, it constantly looks for digital wallet data just copied to the clipboard. When it finds a match, it has access to the user’s transaction, which it alters to send coins to the cryptoshuffler’s account.

CryptoShuffler has made at least $150,000 worth of Bitcoin by using an extremely simple scheme. Crooks infect users with their trojan, which then sits idly on users’ computers and does nothing but watch the user’s clipboard and replace any string that looks like a Bitcoin wallet with the attackers’ address.

Clipboard Hijackers

Clipboard hijackers are another type of malware that targets cryptocurrency users. They work by monitoring a user’s clipboard for cryptocurrency wallet addresses. When the user tries to make a transaction, the clipboard hijacker replaces the victim’s wallet address with the hacker’s wallet address.

Clipboard hijacking is an attack that copies a link to a computer’s clipboard. This link often cannot be deleted unless the computer is restarted. The malicious content in the clipboard is a seemingly innocuous link to a website that a user is redirected to. That website advertises a product such as anti-virus software, which is actually a spyware application. 

This method is called malvertizement, which comes from the words malicious and advertisement. The insidious nature of this attack is that this link gets inadvertently pasted from the clipboard along with any text, so users spread it unintentionally by pasting it in their email, blog articles and comments, documents, and other mediums where text might be pasted.


Pony is a type of malware that is designed to steal a variety of information, including cryptocurrency wallet information. It can infect a user’s computer via phishing emails or malicious downloads.

Pony has been around since 2011, but it’s still the biggest threat when it comes to credential theft, according to data from Blueliv’s report, The Credential Theft Ecosystem. It leads the way at 39%, with LokiPWS and KeyBase trailing behind at 28% and 16%, respectively.

Also known as Pony Stealer, Pony Loader, FareIT, and a few other names, this malware has been responsible for several high-profile attacks, as well as countless other thefts that never made the news.

By 2013, a number of large Pony botnets had been seen, with one responsible for the theft of almost two million sets of credentials.

Since then, there was the 2014 campaign that resulted in the theft of 700,000 sets of credentials and $200,000 in cryptocurrencies, as well as a spate of attacks that kicked off in 2015, which combined the triple-threat of Pony, an exploit kit called Angler and a ransomware program known as CryptoWall.


Dyre is a banking Trojan that is designed to steal banking credentials, including cryptocurrency wallet information. It is usually distributed via phishing emails and can infect a user’s computer without their knowledge.

Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a backconnect server that allows threat actors to connect to a bank website through the victim’s computer. 

The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor (“web fakes”) and a dynamic web inject system that allows the threat actors to manipulate a financial institution’s website content. 

Similar to other banking trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim’s system, stealing information and manipulating website content before it is rendered by the browser.


With the increasing popularity and value of cryptocurrencies, cybercriminals are constantly developing new and sophisticated malware to target digital assets.

Crypto users should take proactive measures to protect their wallets and personal information from potential threats. These measures can include keeping software and antivirus programs up-to-date, avoiding suspicious emails and downloads, and using reputable cryptocurrency wallets and exchanges.

By being aware of the top malware that has targeted crypto users, users can take the necessary precautions to safeguard their investments and digital assets.

You may also like