MassJacker Malware Hijacks Crypto Wallets, Stealing Over $300K

March 15, 2025 by Mishal Ali

Key Takeaways:

• MassJacker targets piracy users, replacing copied crypto wallet addresses with those of attackers.
• Over 750,000 addresses were identified, with one wallet holding over $300,000.
• Malware linked to MassLogger, suggesting a connection to past cryptojacking campaigns.

A new form of cryptojacking malware, MassJacker, is making waves in the cybersecurity space. It targets users who engage in software piracy, secretly hijacking their cryptocurrency transactions.

According to the report from CyberArk, the malware functions by modifying clipboard data and replacing the copied addresses with the attacker’s addresses. This deception makes innocent users unwittingly transfer their funds to cybercriminals.

Unlike most ransomware or phishing attacks, MassJacker executes silently in the background. CyberArk’s analysis has followed the malware to pirated software distribution web sites, with the infection chain traced to a popular site for unauthorized downloads of programs.

When a user downloads and executes an infected applet, a sequence of scripts runs in the background to inject malicious code into processes within the system.

More in-depth analysis shows that MassJacker employs multiple levels of obfuscation, so it is difficult to detect. With advanced mechanisms such as JIT hooking and metadata token mapping, the malware conceals itself while it performs operations.

These tactics reflect some connection with previously known malware, MassLogger, but MassJacker focuses on cryptojacking only rather than general-purpose credential stealing.

778,531 Crypto Wallets Compromised, $300,000 Stolen

The study showed that crypto transactions had been hijacked for 778,531 unique wallet addresses by MassJacker. Even though most of them were zero-balance accounts, at least 423 of them had significant amounts of funds at one point.

The stolen amount was greater than $336,000, with one Solana account belonging to the hackers receiving greater than $300,000.

MassJacker’s work involves maintaining lists of cybercriminals’ controlled crypto-wallets. They are encrypted and are dynamically updated using Command and Control (C2) servers.

The malware replaces the cloned crypto address with one it has in its database once it detects it has been cloned, sending funds to the attacker. Compromised funds tend to travel rapidly through numerous wallets, making recovery and tracing hard.

Interestingly enough, most of the transactions from the affected machines were sent to only some large-value wallets, suggesting the activity of one concerted effort rather than many individual actors.

A single Litecoin wallet was funded with funds from several affected accounts, with one entity being suspected of being behind the entire scheme.

Implications and Protection Against MassJacker

MassJacker’s discovery also highlights the ongoing threat of pirated software downloads. As cryptojacking malware continues to become more sophisticated, users need to be cautious with their crypto transactions.

One of the simplest but most effective prevention strategies is double-verifying the copied wallet addresses before any transaction.

Also, security experts recommend using trusted security tools that can identify clipboard hijacking activity. Operating systems and applications should also be kept updated so as not to expose them to vulnerabilities being exploited using such malware.

Related Reading | Bitcoin Surges Past $83,000 as Skyren DAO Reports Record Staking Activity