Security Experts:

Connect with us

Hi, what are you looking for?



Phorpiex Botnet Hijacked 3,000 Cryptocurrency Transactions

Over the past five years, the Phorpiex botnet has managed to hijack approximately 3,000 cryptocurrency transactions, stealing at least hundreds of thousands of dollars, Check Point says.

Over the past five years, the Phorpiex botnet has managed to hijack approximately 3,000 cryptocurrency transactions, stealing at least hundreds of thousands of dollars, Check Point says.

Around since 2016, the botnet became famous for its large sextortion spam campaigns, and was estimated in 2019 to have infected one million devices worldwide. Despite that, its activity dropped sharply in the summer of 2021, and in late August its operators announced they were selling it.

A couple of weeks later, the botnet’s command and control (C&C) servers reemerged with a new IP address, and also started distributing a new bot, called Twizt, which switched to a peer-to-peer mode and no longer relied on a central C&C server.

The Twizt bot, Check Point’s security researchers explain, can reconfigure home routers that feature UPnP support to receive incoming connections, thus making the botnet more resilient.

Phorpiex has infected devices in 96 countries, with most of its victims located in Ethiopia, Nigeria and India. Although the number of infected devices has remained relatively constant throughout the year, the botnet has been expanding over the past two months, the researchers say.

The botnet has long been capable of crypto-jacking, ransomware distribution, and spam delivery, and the Twizt variant features a crypto-clipper that supports over 30 wallets for different blockchains, such as Bitcoin, Dash, Dogecoin, Ethereum, Monero, and Zilliqa.

Courtesy of this clipper, Phorpiex can steal funds during cryptocurrency transactions by substituting the recipient’s wallet address – which has been saved to the clipboard – with the attacker’s wallet address.

Check Point has identified 60 unique Bitcoin wallets and 37 Ethereum wallets used by the botnet’s operators and estimates that, between November 2020 and November 2021, Phorpiex was used to hijack 969 transactions, stealing almost half a million dollars.

Since 2016, however, the botnet is believed to have hijacked approximately 3,000 crypto transactions in Bitcoin and Ether. If other blockchains are included, the number could be much higher.

The average amount of stolen cryptocurrency, however, is relatively small and also decreases with the cryptocurrency price rises, the researchers note.

“In the past year, Phorpiex received a significant update that transformed it into a peer-to-peer botnet, allowing it to be managed without having a centralized infrastructure. The C&C servers can now change their IP addresses and issue commands, hiding among the botnet victims,” Check Point concludes.

Related: Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability

Related: ‘Moobot’ Botnet Targets Hikvision Devices via Recent Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.