Bitcoin-stealing malware found in Chinese printer driver

Security experts have uncovered a malware program that steals Bitcoin in the official driver of Procolored, a printer company based in Shenzhen, China. In a post on X, the experts said the hackers had used the malware to steal 9.3 Bitcoin.

According to the tech website Blue Dot Network, Procolored transferred the infected driver from a USB flash drive and uploaded it to its servers for users to download. It is unclear whether this was a deliberate attack by the company or if it involved a third party.

However, experts believe the driver was developed by a third party who likely added the malware. They noted that most hardware manufacturers in China outsource their software development to third parties. Thus, the third-party developer likely sent the driver to Procolored using a USB flash drive after adding the backdoor.

Meanwhile, Yu Xian, the founder of blockchain security firm SlowMist, has further investigated the issue and discovered how the backdoor functions. He explained that the code in the printer driver could hijack wallet addresses on the users’ clipboards and change them to those of the attacker.

He said:

“This printer’s official driver comes with backdoor code… which can hijack the wallet address in the user’s clipboard and replace it with the attacker’s own: 1BQZKqdp2CV3QV5nUEsqSglygegLmqRygJ.”

While this might look like an address poisoning attack, Xian admitted it is a classic case, noting that the stolen Bitcoin had been laundered long ago.

Interestingly, he found that all the stolen BTC was not due to the printer alone, as the malware had been active for eight years and infected several applications. The first theft happened back in April 2016, while the most recent was in March 2024.

Bitcoin attack vectors continue to grow with crypto market expansion

Meanwhile, the incident highlights the variation of threats that crypto users are facing. With the crypto market expanding in size and value and attracting more mainstream attention, bad actors have also turned their eyes toward it.

The result is a growing number of attack vectors that the average crypto user may need to face. These attacks, ranging from phishing to malware to exploiting vulnerabilities, have allowed bad actors to make over $1.7 billion this year alone.

While most of these attack vectors are not new, scammers also leverage some crypto users’ ignorance to steal their funds. For instance, users of hardware wallet Ledger have been getting physical letters and fake wallets that look like the original ledger, asking them to migrate their crypto assets to the new device.

According to experts, this scam is not new. It dates back to 2021, when hackers gained access to the information of several Ledger users, including their names, emails, and even physical mailing addresses. However, some users are still falling victim to it.

Physical threats pushing crypto whales to increase their security

Interestingly, the risk of exploiting and being the target of phishing scams is not the only challenge crypto users face. There have also been increasing physical and violent attacks on known crypto holders and their relatives.

Recently, the daughter of Paymium CEO Pierre Noizat was almost abducted in Paris. Paymium is a France-based crypto exchange. This was not a one-off incident, as the father of another crypto entrepreneur was previously abducted in the city but rescued by the police.

Even the co-founder of Ledger, David Ballant, was also abducted in January with his wife in Paris and had his finger severed before his eventual release.

While France appears to be the hotspot, there have also been several incidents in other countries.  A public directory of known crypto attacks by Jameson Loop showed that there have been three attacks this month, with the most recent happening on May 14 when three Chinese citizens tried to rob a mining facility in Paraguay.

With the risks of physical attacks for crypto users now rising, it is unsurprising that large crypto holders are turning to private security firms. According to reports by Bloomberg, Wall Street Journal, and Wired, crypto whales have increased their demand for bodyguards.

That demand will likely increase with recent data leaks from exchanges putting personal information, including crypto users’ physical locations, in bad actors’ hands.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now