The Jigsaw malware is back and it is ready to steal Bitcoin from consumers once again.

Jigsaw is Back to Scare Bitcoin Users

ZDNet recently reported that the “Jigsaw” ransomware has recently been revised by hackers to steal Bitcoin from unsuspecting users through a “simple-but-effective trick.”

According to the technology news source, Jigsaw first appeared in the cryptocurrency scene in April 2016 as a form of ransomware, holding the files and information of users hostage until a ransom of Bitcoin was paid. The reason why it is named Jigsaw is due to the fact that the piece of code displayed the likeness of the Saw horror film villain.

However, with this most recent revision, the ransomware has been re-purposed to steal Bitcoin in a fairly innovative and non-intrusive manner, modifying the addresses inputted by a user. Once the piece of malware alters an address, the Bitcoin payment will then be redirected to the hacker’s wallet, resulting in lost crypto for the victim.

Jigsaw, or “BitcoinStealer,” as it is known by references in the code of the program, accomplishes this by altering Bitcoin addresses in someone’s clipboard, or the area where copied pieces of text lie.

However, the ingenuity of the program does not stop there, as BitcoinStealer is able to the intended address of the payment to one that looks very similar, using a program such as VanityGen to trick the user into thinking the hacker’s address and the original address are one and the same.

This ingenuity has proven to be rather successful, with researchers from Fortinet, who first broke the news about Jigsaw, saying that cyber attacks utilizing this method have garnered over 8.4 Bitcoin, or approximately $61,000 at current market prices. Fortinet also discovered that there were many similar projects for “modifying cryptocurrency addresses” being advertised on dark web forum sites, presumably by hackers enlisting the same method of attack.

Crypto-Related Cybercrime is Still Prevalent Despite Price Decline

However, this method of cybercrime, which the cyber researchers called the “clipboard-substitution malware family,” was not mentioned in a recent threat report from the cybersecurity firm Malwarebytes.

According to the report released on July 17th, ransomware and cryptojacking were by far the primary sources of crypto-related cybercrime, with “cryptominers continuing to dominate” the threat landscape.

Despite starting to slow down due to declining cryptocurrency prices and mining profits, the Cybercrime Tactics & Techniques Report for Q2 2018 still found that cryptominers are as prevalent as ever, noting:

“Cryptomining detections are slowly declining; however, as one of the top two detections for both businesses and consumers, they still dominate the threat landscape”

Nonetheless, moving into Q3 of 2018, Malwarebytes expects for cryptojacking cases to slowly fade, as cybercriminals follow the industries where they can make the biggest profits. The security firm wrote:

“Ultimately, many criminals aren’t getting the return on investment (ROI) from cryptomining they were expecting. The cryptojacking craze will likely stabilize as it follows market trends in cryptocurrency… Until changes in the cryptocurrency market cause a spike or swift downturn, expect to see cryptomining hum along at its current slower pace into Q3.”

It is likely that the propagation of clipboard-substitutions will become a growing threat for cryptocurrency users moving into the future, as it is a much more reliable, non-intrusive and profitable way for hackers to get their hand on consumer crypto.

So watch out, double, triple or even quadruple check the address when you send your next Bitcoin transaction.

Featured image from Shutterstock.