Earlier this week, a user posting on the Ethereum subreddit (/r/Ethereum), the largest Ethereum community with over 131,000 members, revealed that malware installed on Windows computers is capable of altering Ethereum addresses when copying and pasting.

Bitcoin Address Modifying Malware First Discovered in February of 2016

Major antivirus development firm Symantec first discovered a trojan named “Trojan.Coinbitclip” in February of 2016, which automatically detects Bitcoin wallet addresses and changes them as Windows users copy and paste the data onto online platforms. By spreading the trojan through phishing attacks and conventional malware distribution methods, hackers behind the malware were able to steal funds from Bitcoin users on Windows computers by reallocating Bitcoin payments to other wallet addresses.

“Trojan.Coinbitclip is a Trojan horse that replaces Bitcoin addresses saved to the clipboard with ones supplied by the Trojan,” said Symantec.

According to Bitcoin journalist Luke Parker, malware such as Trojan.Coinbitclip stored around 10,000 Bitcoin wallet addresses in the code and used an algorithm to match the victim’s Bitcoin wallet addresses to similar addresses in its pool. The sophistication of the method made it difficult for Bitcoin users to spot the malware.

“This clever little invader carries with it a large list of bitcoin addresses and chooses the closest match when making the switch, making it harder to spot the switch. In the sample Symantec observed, there were 10,000 Bitcoin addresses stored in the code. The end result is that copying and pasting a payment address can easily trick you into sending your coins to the malware’s creator,” wrote Parker.

Similar Malware Targeting Ethereum Wallet Addresses Emerge

Apneal, the user who first discovered the Ethereum address modifying malware, stated that the malware was only spotted after a few transactions were already made. First, Apneal sent a small transaction of 0.01 Ether from a cryptocurrency exchange to a personal wallet address. But noticed that the personal wallet address used in the facilitation of the payment had not received an incoming transaction, which meant that the transaction was either not broadcasted to the Ethereum blockchain network or it was set to another address.

Immediately after confirming that the transaction was successful on Ethereum blockchain explorer Etherscan, Apneal went on to check the Ethereum address that was used to receive the payment. But, upon verifying the final address that was used to receive the payment, Apneal discovered that the transaction was sent to another wallet address.

“Copy the address from MyEtherWallet, paste into notepad. It changed it right on the spot. Maybe I didn’t copy right? Copy paste again, same address. Maybe my clipboard isn’t flushing? Copy other text on the screen and paste, that works, copy address again and paste, that same different address appears. Something funky with MyEtherWallet? Open up Firefox, go to my wallet, copy-paste. That works fine. This is on my end,” wrote Apneal.

Once a system becomes compromised, as seen in the case of Apneal, it is no longer useful to install antivirus software to eliminate or destroy the malware. Several users in the community have advised Apneal and other victims of the malware to format all of the connected drives to the system and reinstall the Windows system to entirely reset the device and the operating system.