New MassJacker malware targets piracy users, steals crypto

A new variant of cryptojacking malware, dubbed MassJacker, is reportedly infiltrating devices of users looking to download pirated software. According to a report released by CyberArk on March 10, this malware hijacks cryptocurrency transactions by swapping stored crypto addresses in the clipboard with those controlled by the attackers.

The origin of MassJacker can be traced back to the website pesktop[dot]com, a hub for users seeking pirated applications. Upon downloading any software from this site, victims may unwittingly install the malware, putting their crypto assets at risk. CyberArk’s data indicates that the malware is linked to a staggering 778,531 unique wallets, though only a fraction—423 wallets—actually contained cryptocurrency at any point. The estimated total of crypto that had been transferred out from these wallets reaches approximately $336,700 as of August, although the company cautions that the actual figures may vary.

One wallet associated with this malware gained attention for its activity, holding over 600 Solana (SOL) valued at around $87,000 and having previously contained non-fungible tokens (NFTs) like Gorilla Reborn and Susanoo. For a closer examination of transactions, one can refer to the wallet’s details available on Solana’s blockchain explorer, Solscan, which showcases 1,184 transactions starting from March 11, 2022. This wallet also engaged in decentralized finance activities as recently as November 2024, involving swaps with other tokens, including Jupiter (JUP), Uniswap (UNI), USDC, and Raydium (RAY).

Historically, crypto malware is not a recent phenomenon. The first publicly available script for cryptojacking emerged in 2017, courtesy of Coinhive, and since then, cybercriminals have evolved their tactics, targeting various devices and operating systems. A notable instance in February 2025 revealed that Kaspersky Labs detected crypto malware embedded within app development kits for both Android and iOS, capable of scanning images for crypto seed phrases. Similarly, Checkmarx noted the discovery of crypto-stealing malware within the Python Package Index, indicating that even developers are not above the radar of such threats.

The tactics employed by attackers have grown increasingly sophisticated. Among the more deceptive methods is the fake job scam where perpetrators recruit victims under the guise of a job offer. During these virtual interviews, victims are often led to “fix” audio or camera issues, which inadvertently installs malware designed to drain their cryptocurrency wallets.

The “clipper” attack—a strategy where malware alters cryptocurrency addresses stored on the clipboard—remains less recognized than ransomware but presents notable advantages for attackers. This method operates discreetly and commonly evades detection in sandbox environments, making it a preferred choice for cybercriminals, as highlighted by CyberArk.

With the growing complexity and adaptability of cryptocurrency-targeting malware, it becomes imperative for users to remain vigilant and employ robust security measures to safeguard their digital assets.