Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Uncover Ongoing Bitcoin Theft Campaign

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

Researchers at LogRhythm have uncovered a malware campaign designed to steal bitcoins.

The attack typically begins with a phishing email with the subject line ‘Wallet Backup.’ The attackers have apparently targeted by people they know use Bitcoin by scraping popular BTC sites for email addresses, LogRhythm’s Greg Foss explained in a blog post.

A link in the email redirects to a site and downloads the file ‘’ Analyzing the metrics around the malicious link show that roughly 2,000 users have clicked on the link since the malware campaign was launched Jan. 6.

“A majority of the clicks were through unknown sources, most likely e-mail, though other sources such as Reddit were also used to propagate the attack,” Foss blogged. “After extracting the contents and running the files through some quick analysis, it is apparent that each file plays a significant role in the overall attack. They anticipate that the user will open Passwords.txt.lnk first, and then view wallet.dat, as only these two files are visible unless ‘show hidden files’ is turned on in Windows. Running strings on Password.txt appears to show a financial transaction of some kind, most likely attempting to siphon off the user’s BTC to their accounts.”

Bitcoins are hardly a new target for hackers. In October, attackers stole $1 million in bitcoins from More recently, the malware attack that hit Yahoo users in Europe earlier this month was designed to create a large network of machines for bitcoin mining.

In the attack discovered by LogRhythm, the malware appears to lay dormant on the machine until the victim opens their bitcoin wallet using the BitcoinQT software.

“This is the obvious intended target, as the malware is hard-coded for windows hosts and the screenshot included in the .zip file suggests the use of BitcoinQT by showing a screenshot of the included wallet.dat file which happens to contain a very tempting ~30 BTC,” Foss blogged.

“Once BitcoinQT.exe is opened, the software appears to connect back to the attacker’s network, however it is difficult to tell immediately which IP addresses are related to the malware, though this is only one potential avenue,” he added.

RelatedBitcoin Exchanges Hit By Hackers

RelatedCyber Thieves Blamed for Bitcoin Heist

RelatedMac Malware Targets Bitcoin Wallet Logins

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.