Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Uncover Ongoing Bitcoin Theft Campaign

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

The attack typically begins with a phishing email with the subject line ‘Wallet Backup.’ The attackers have apparently targeted by people they know use Bitcoin by scraping popular BTC sites for email addresses, LogRhythm’s Greg Foss explained in a blog post.

A link in the email redirects to a site and downloads the file ‘’ Analyzing the metrics around the malicious link show that roughly 2,000 users have clicked on the link since the malware campaign was launched Jan. 6.

“A majority of the clicks were through unknown sources, most likely e-mail, though other sources such as Reddit were also used to propagate the attack,” Foss blogged. “After extracting the contents and running the files through some quick analysis, it is apparent that each file plays a significant role in the overall attack. They anticipate that the user will open Passwords.txt.lnk first, and then view wallet.dat, as only these two files are visible unless ‘show hidden files’ is turned on in Windows. Running strings on Password.txt appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts.”

Bitcoins are hardly a new target for hackers. In October, attackers stole $1 million in bitcoins from More recently, the malware attack that hit Yahoo users in Europe earlier this month was designed to create a large network of machines for bitcoin mining.

In the attack discovered by LogRhythm, the malware appears to lay dormant on the machine until the victim opens their bitcoin wallet using the BitcoinQT software.

“This is the obvious intended target, as the malware is hard-coded for windows hosts and the screenshot included in the .zip file suggests the use of BitcoinQT by showing a screenshot of the included wallet.dat file which happens to contain a very tempting ~30 BTC,” Foss blogged.

“Once BitcoinQT.exe is opened, the software appears to connect back to the attacker’s network, however it is difficult to tell immediately which IP addresses are related to the malware, though this is only one potential avenue,” he added.

RelatedBitcoin Exchanges Hit By Hackers

RelatedCyber Thieves Blamed for Bitcoin Heist

RelatedMac Malware Targets Bitcoin Wallet Logins

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.