- A backdoor in an official printer driver is being used to steal cryptocurrency from users’ wallets.
- The exploit replaces crypto wallet addresses copied to a user’s clipboard with the attacker’s address.
- At least 9.3 Bitcoin, valued at about $989,000, has been stolen using this method.
- The attacker’s wallet has been active since 2016 and is linked to multiple crypto exchanges.
- This attack is similar to past clipboard-hijacking Malware incidents, but spreads via legitimate-looking software drivers.
MistTrack, a blockchain security platform, recently announced that a malicious exploit is targeting crypto users by embedding a backdoor into a printer driver. The exploit, discovered by the Cybersecurity arm of SlowMist, allows the attacker to intercept and alter cryptocurrency wallet addresses stored in a user’s clipboard.
According to on-chain data from MistTrack, the attacker has collected a minimum of 9.3 Bitcoin, worth around $989,000, from victims’ crypto transactions. The suspect’s wallet has sent and received funds from numerous on-chain addresses, and has been linked to several crypto exchanges.
The official printer driver identified in this attack installs a backdoor program once loaded onto a device. “The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address,” stated MistTrack in a recent post.
The malware works by monitoring the clipboard, which temporarily stores data a user copies. When a user copies a crypto wallet address, the malware replaces it with the attacker’s address. If the change goes unnoticed, funds are unintentionally sent to the attacker’s wallet.
A similar technique surfaced in March 2025 with malware called MassJacker, according to CyberArk. MassJacker allegedly used hundreds of thousands of unique addresses and spread through pirated or cracked software from unofficial sources. However, the current printer driver exploit relies on a recurring wallet address and is distributed through legitimate-seeming software.
On-chain activity shows the main attacker’s wallet address has been operational since April 2016. The last detected transaction before the recent thefts was on March 14, 2024. The wallet has connections to several crypto exchanges, potentially complicating tracing efforts.
Cybersecurity experts advise crypto users to only install drivers and applications from verified, official sources to reduce exposure to these types of clipboard-hijacking threats.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- SafeMoon CEO Defense Cites Doubts in Fraud, Conspiracy Charges
- Crypto Founder Abducted in Uganda, Forced to Transfer $500K
- Questions Arise Over ADA Fund Movements — Hoskinson Denies Misuse
- Bold, My Aion Launch $2.5B AI Smart City Project in Abu Dhabi
- Apex Group to Acquire Full Stake in Fund Tokenization Firm Tokeny
