Crypto news

20.06.2026
05:35

Cyber War for Crypto Assets: USB Worms, Fake Reputations, and New Android Trojans — Threat Digest

security_new1

Over the past week, the cyber threat landscape in the cryptocurrency sector has undergone several significant changes. My colleagues and I have analyzed the most dangerous incidents that directly threaten both retail investors and institutional players. From self-replicating USB worms to sophisticated social engineering schemes, the attackers' arsenal is becoming increasingly sophisticated.

Fake Reputation as a Weapon: Crypto Clippers on GitHub and YouTube

Attackers have launched a campaign to deploy crypto clippers, using legitimate marketing techniques to create a false "reputation economy." The ultimate goal is to swap clipboard data to steal cryptocurrencies under the guise of trading tools in the Solana and Pump.fun ecosystems.

The clipper, written in Rust, targets Windows and macOS. It covertly monitors the clipboard and, upon detecting a copied wallet address, instantly replaces it with the hacker's details. To build trust, the attacker constructed a complex infrastructure of "ghost networks": on VirusTotal, fake accounts mass-posted positive comments to falsely classify malicious files as safe. On SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices, and on YouTube, a channel with over 91,000 subscribers is used to advertise software with AI-generated voices.

This shift in social engineering tactics is extremely dangerous. The successfully tested scheme of cross-platform reputation manipulation could be used in the future for the mass distribution of ransomware and more sophisticated info-stealers.

USB Worm with Self-Replication Capabilities

Microsoft experts have revealed details of a campaign distributing self-replicating malware targeting cryptocurrency owners. The infection process is triggered when a victim opens a modified shortcut file (.LNK) on a USB drive. The worm scans the system, hides original documents, and replaces them with malicious shortcuts. For self-replication, it creates a scheduled task that monitors ports and instantly copies itself to any new USB drive.

The stealer only activates if "Task Manager" is not running on the system. It establishes communication with a command server via Tor and monitors the clipboard every half-second for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Furthermore, every ten seconds, the virus takes five screenshots and sends them to the hackers. Activity of this worm has been recorded at least since February, and the main "red flags" are suspicious background activity from the wscript.exe and cscript.exe processes.

New Android Trojan Rokarolla: Full Device Control

Zimperium researchers have discovered an Android trojan targeting cryptocurrency theft. The Rokarolla malware's arsenal includes 137 remote commands, allowing it to intercept PIN codes, read SMS messages, manipulate the clipboard, and disable built-in OS protection mechanisms. The malware is distributed through malicious websites disguised as installers for TikTok and Google Chrome.

In the first stage, the victim downloads a program that mimics the Google Play Protect system component. Using social engineering, the dropper tricks the user into granting access to "Accessibility Services," after which it disables the real Play Protect scanner. A separate overlay mimics the standard Android lock screen, allowing the theft of the PIN code and gaining full control over the smartphone, even when locked.

Cash Collectors: A New Tactic in Crypto Scams

The FBI has reported a new tactic used by operators of cryptocurrency "pig butchering" schemes. Attackers have begun hiring couriers to collect funds from victims whose transactions are blocked by banking security systems. After convincing the victim to withdraw cash, the scammers send a courier who identifies themselves using a pre-arranged password. Upon receiving the money, the hackers simulate an increase in the balance in a virtual wallet and restart the cycle, demanding new payments for fictitious "taxes."

Vulnerability in Beats Studio Buds: Eavesdropping via Bluetooth

Apple has released a firmware update for Beats Studio Buds, fixing vulnerability CVE-2025-20701. The issue, related to incorrect authorization in the Bluetooth audio SDK, allowed a hacker within Bluetooth range to remotely connect their equipment to the headphones without the user's knowledge. The exploit provided almost complete control over the device, including the ability to eavesdrop via the built-in microphone.

My professional opinion: We are witnessing a convergence of classic cyberattack methods with new technologies—from AI-generated voices to the use of Tor for covert communication. Crypto investors need to rethink their security habits: avoiding USB drives from unknown sources, carefully checking permissions for Android apps, and critically evaluating any online "reputation" are the minimum set of measures to protect assets.