While the cryptocurrency mania that drove Bitcoin’s price to $20,000 may have eased, the threat posed by the most experienced cybercriminals hasn’t disappeared.

In fact, prominent information security firm Kaspersky Labs has detailed how some of the internet’s most well-known malware has evolved to better target cryptocurrency users and services.

Kaspersky’s researchers identified five threats to cryptocurrency users, as hackers rush to exploit those who are still learning to navigate the new digital asset economy.

1. Trojan horses

This quarter saw the notorious Trojan Rakhni morph to more efficiently steal cryptocurrency. When Rakhni was found back in 2013, it was purely focused on encrypting devices and holding data to ransom.

Kaspersky Labs notes that new versions of Rakhni have been found in the last three months. The new ones start by checking to see if there are Bitcoin-related folders stored on the target computer. If it finds a match, it will encrypt the device and demand a ransom.

If none exist, Rakhni installs malware that steals computing power to generate cryptocurrency before attempting to spread across the rest of the computers in the network.

Last week, Hard Fork reported that the Swiss ranked two similarly-evolved Trojan horses as some of the most widespread malware infesting Switzerland’s internet.

2. Social engineering and phishing

Cybercriminals have also ramped up their focus on social engineering to exploit newbie cryptocurrencers. Traditional techniques like phishing and fraudulent websites are still on the rise.

In the first half of 2018, Kaspersky recorded 100,000 attempts to redirect unsuspecting people to fake pages that mimic the authorization pages of popular cryptocurrency exchanges like Binance, Kraken, and Bittrex.

The quarterly analysis also reveals that attackers are also luring victims into divulging sensitive information by tricking them into a formal identification process after registering with the fake cryptocurrency services.

“Scammers also try to use the speculation around cryptocurrencies to trick people who don’t have a wallet: they lure them to fake crypto wallet sites, promising registration bonuses, including cryptocurrency,” Kaspersky warns. “In some cases, they harvest personal data and redirect the victim to a legitimate site. In others, they open a real wallet for the victim, which is compromised from the outset.”

3. Cryptocurrency mining botnets

‘Botnets’ refer to networks malware-infected computers capable of being controlled remotely. Usually, botnets are focused on distributing malware via spam, or performing crippling Distributed Denial-of-Service Attacks (DDoS).

Over the past three months, that’s changed. Kaspersky claims cybercriminals are starting to view botnets primarily as tools for cryptocurrency mining.

The researchers found the number of botnets spreading cryptocurrency mining malware increased this year. The instances of malware being downloaded via special virus-loaders called ‘droppers,” also increased. Droppers are typically distributed by machines controlled by a botnet.

“[This reflects] the fact that attacks are multi-stage and growing in complexity,” Kaspersky explains. “[But i]ncreasingly, botnets are leased according to the needs of the customer, so in many cases it is difficult to pinpoint the ‘specialization’ of the botnet.

Overall, this shift has led to Kaspersky Labs recording over 2.7 million instances of people coming into contact with cryptocurrency malware since 2017.

4. Sextortion

The Bitcoin ‘sextortion’ email was one of the most common scams of this quarter.

Those behind the scam attempted to garner credibility by using stolen passwords to create the illusion that the victim’s computer had been compromised, and the attacker had recorded a video of them enjoying some pornography.

The fraudsters then threaten to send a copy of the video to all of the victim’s contacts, lest they pay four-figure Bitcoin BTC ransom within a day.

“The scammer includes a legitimate password in the message, in a bid to convince the victim that they have indeed been compromised,” Kaspersky explains. “It seems that the passwords used are real, although in some cases at least they are very old. The passwords were probably obtained in an underground market and came from an earlier data breach.”

5. Malware on Mac OS

Despite the numerous threats analyzed by Kaspersky Labs over the year, the state-sponsored hacking crew Lazarus maintains as the primary driving force for attacks on businesses and financial operators within the cryptocurrency sector.

Hard Fork previously reported Lazarus had successfully infiltrated popular cryptocurrency exchanges, fintech companies, and even banks, by tricking employees into downloading a Trojanized (and fake) cryptocurrency trading application.

Kaspersky Labs warns the groups success will lead it to build new malware specifically for Linux operating systems, considering this is the first instance of Lazarus using malware specifically designed for Mac OS.

“It would seem that in the chase after advanced users, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools,” Kaspersky researchers noted. “The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.”

Lazarus is no joke. A few months ago, the group was found to be the most powerful cryptocurrency hackers in the world, having earned a whopping $571 million in ill-gotten cryptocurrency since last year.