Hacker Arrested in KMSAuto Clipper Malware Campaign Targeting Cryptocurrency
Published
Key Takeaways
- International Arrest: A Lithuanian national has been arrested in Georgia and extradited to South Korea for operating a massive malware campaign.
- Widespread Infection: The campaign infected 2.8 million systems worldwide by disguising clipper malware as the KMSAuto software activation tool.
- Significant Theft: The operation stole approximately $1.2 million in cryptocurrency from victims by redirecting transactions.
A Lithuanian national has been arrested in connection with a large-scale KMSAuto clipper malware campaign. The 29-year-old suspect was apprehended in Georgia in a international law enforcement action and subsequently extradited to South Korea following a multi-year investigation coordinated through Interpol.Â
The operation targeted users of KMSAuto, an illegal tool for activating unlicensed copies of Microsoft Windows and Office. The individual is accused of distributing clipper malware disguised as the tool, leading to the infection of approximately 2.8 million systems globally between April 2020 and January 2023.
Technical Details of the Clipper Malware Attack
The campaign's primary threat vector was clipper malware, a type of malicious software designed to monitor a system's clipboard. When a user copies a cryptocurrency wallet address to paste into a transaction, the malware automatically replaces it with an address controlled by the attacker.
The Korean National Police Agency reported that this scheme facilitated approximately 8,400 fraudulent transactions from about 3,100 unique cryptocurrency addresses belonging to victims from 234 countries worldwide, including South Korea.
The campaign resulted in the theft of virtual assets valued at approximately 1.7 billion won ($1.2 million). Eight Koreans were confirmed to have suffered a total of 16 million won in damages.
Enforcement Action and Cryptocurrency Theft Recovery
The investigation began in August 2020 after reports of cryptojacking led authorities to the malicious KMSAuto tool, the police report said.Â
Law enforcement conducted a raid in Lithuania in December 2024, seizing 22 items, including laptops and mobile phones containing incriminating evidence. This led to the final arrest in April 2025.Â
Authorities warn that using illegal software activation tools carries substantial risk, as they are a common vector for malware distribution. Users are strongly advised to avoid unofficial software and only use executables from trusted sources.
In September, an advanced cryptojacking campaign used an obfuscated AutoIt Loader to deliver NBMiner.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular