A Windows trojan known as CryptoShuffler steals cryptocurrencies using a very simple mechanism: it replaces any cryptocurrency wallet address on a user's clipboard with one of its own.
CryptoShuffler targets a number of digital currencies — Bitcoin, Ethereum, Zcash, Monero, Dash and Dogecoin — according to researchers from Kaspersky Lab.
Unlike cryptocurrency miners which are noticeable when present on a computer, this trojan is not noticeable.
CryptoShuffler resides in the memory of the infected Windows computer and monitors the contents of the clipboard.
When the user copies the wallet address of a digital currency — which can be detected because of the line length and certain specific characters — the trojan replaces the address with another.
The cryptocurrency transfer thus goes through but not to the wallet that the user thought it was being sent to.
Kaspersky said that at the time it was detected, about 23 bitcoin had been transferred across to the attack rs' wallet - roughly US$140,000 at current exchange rates.
Other cryptocurrencies worth tens of thousands of dollars were also found.
Kaspersky did not specify how the trojan infected Windows systems. However, once it did gain access, it wrote itself to the registry so that it would autoload.