Discord Clipboard Hijacker Campaign – Cryptocurrency Theft

January 20, 2026 Faeem BLOGS 0

Researchers have uncovered a clipboard hijacker malware spreading through Discord communities, targeting gamers, streamers, and crypto enthusiasts. The malware silently swaps copied wallet addresses with attacker-controlled ones, diverting funds during transactions.

Campaign Overview

  • Threat actor: “RedLineCyber” (posing as RedLine Solutions).
  • Distribution: Shared in Discord servers as fake streaming/security tools (Pro.exe, peeek.exe).
  • Target audience: Gaming, gambling, and cryptocurrency streaming communities.
  • Pitch: Claimed to help manage/protect wallet addresses during live sessions.

Infection Mechanism

  1. Victim downloads and runs Pro.exe.
  2. Malware creates CryptoClipboardGuard folder in %APPDATA%.
  3. Registers persistence via Windows Run key.
  4. Bundled with PyInstaller, runs even without Python installed.
  5. Enters a loop, checking clipboard ~3 times per second.
  6. Detects crypto wallet formats via base64 regex.
  7. Replaces copied wallet address with attacker’s preset wallet.
  8. Logs activity in activity.log inside %APPDATA%\CryptoClipboardGuard.

Why It’s Effective

  • No C2 traffic: Operates offline, avoiding detection.
  • Low resource usage: Runs quietly in background.
  • Human weakness: Exploits reliance on copy-paste for long wallet strings.
  • Stealth: Victims only notice after funds arrive in wrong wallet (irreversible).

Impact

  • Stolen funds traced across Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron.
  • Targets high-value transfers during live trading/streaming.
  • Can remain active for long periods without raising suspicion.

Defensive Recommendations

  • Verify wallet addresses manually before confirming transactions.
  • Avoid downloading tools shared privately on Discord or gaming servers.
  • Monitor %APPDATA% for suspicious folders like CryptoClipboardGuard.
  • Check registry Run keys for unknown executables.
  • Use endpoint protection with behavioral monitoring (clipboard manipulation detection).
  • Educate users: Streamers and traders should be aware of clipboard hijacking risks.

Takeaway

This campaign highlights how attackers exploit trust in online communities and human shortcuts (copy-paste) to steal cryptocurrency. Clipboard hijackers are simple but devastating, and vigilance at the transaction stage is the only reliable defense.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.