New Cryptojacking Malware MassJacker Targets Cryptocurrency Transactions
According to Cointelegraph, a new type of cryptojacking malware known as MassJacker is targeting users who download pirated software, hijacking cryptocurrency transactions by replacing stored addresses. The malware originates from the website pesktop[dot]com, where unsuspecting users may inadvertently infect their devices. Once installed, MassJacker swaps out crypto addresses stored on the clipboard application for those controlled by the attacker.
CyberArk reports that 778,531 unique wallets are linked to the theft, although only 423 wallets held crypto assets at any time. The total amount of cryptocurrency stored or transferred from these wallets was approximately $336,700 as of August. However, the actual extent of the theft could vary. One wallet, in particular, was active, containing over 600 Solana (SOL) valued at around $87,000. This wallet also had a history of holding non-fungible tokens (NFTs) such as Gorilla Reborn and Susanoo. An analysis of the wallet on Solana’s blockchain explorer Solscan revealed 1,184 transactions dating back to March 11, 2022. The wallet's owner engaged in decentralized finance activities in November 2024, swapping tokens like Jupiter (JUP), Uniswap (UNI), USDC (USDC), and Raydium (RAY).
Cryptocurrency malware is not a new phenomenon. Since the release of the first publicly available cryptojacking script by Coinhive in 2017, attackers have targeted a variety of devices across different operating systems. In February 2025, Kaspersky Labs identified crypto malware in app-making kits for Android and iOS, capable of scanning images for crypto seed phrases. In October 2024, cybersecurity firm Checkmarx discovered crypto-stealing malware in a Python Package Index, a platform for developers to share code. Other malware have targeted macOS devices.
Attackers are employing increasingly sophisticated methods to distribute malware. One such method involves a fake job scam, where victims are recruited under the guise of a job offer. During a virtual interview, the attacker instructs the victim to "fix" microphone or camera access issues, which installs the malware, allowing it to drain the victim’s crypto wallet. The "clipper" attack, which alters cryptocurrency addresses copied to a clipboard, is less known than ransomware or information-stealing malware but offers advantages for attackers due to its discreet operation and ability to go undetected in sandbox environments, as noted by CyberArk.
