$400.000 stolen with trojanized TOR browsers

04/20/2023Darknet News

A wave of cryptocurrency thefts targeting victims in numerous nations and using the dark-web browser Tor as a cover have been discovered, indicating the thieves’ motivations are likely financial rather than nationalistic.

Antivirus firm Kasperksy claimed to have found a “ongoing disruptive bitcoin theft” that used Tor to mask its true intent. Tor is typically used to access the dark web since it hides a user’s internet footprint.

According to Kaspersky, the perpetrators of the operation have so far this year earned over $400,000 in digital cash, which they took by targeting the online wallets of about 15,000 victims with malware.

Russia was the most severely impacted of the 52 nations targeted, but other countries that were affected included Belarus, which is regarded as a vital ally of the Kremlin, as well as Western countries including the US, Germany, the UK, and France.

This would seem to rule out the idea that the threat actors responsible for the cryptocurrency thefts, which have seen digital wallets used to store Bitcoin, Ethereum, Litecoin, Dogecoin, and Monero stolen, are motivated in any way by partisan allegiances.

It has long been believed that Russia allows cybercriminals to operate on its territory, but only if they do not harm the mother country or her allies.

Yet, according to Kaspersky, Russia is likely the major target because its inhabitants must rely on third parties to install Tor, which is illegal in the nation, and on which the crypto-thieves also rely for the success of their robbery.

The victim downloads a “trojanized” version of Tor Browser from a third-party source that contains a password-protected archive during an assault, according to the analyst.

According to Kaspersky, the password’s function is to shield users from security software’s detection. When a file is dropped into a user’s system, it registers itself in the auto-start feature and claims to be a well-known program like uTorrent.

When the virus discovers a wallet address in the clipboard, it replaces a portion of the entered clipboard data with the cybercriminal’s own wallet address, according to the statement.

The rise of cryptocurrencies has led to this new sort of malware actively targeting cryptocurrency owners and traders, the report said. “Although this approach has been known for more than a decade and was first employed by banking trojans to alter bank account numbers,” it added.