On April 9, 2025, Kaspersky – a leading cybersecurity company – discovered dangerous malware on SourceForge, a legitimate software download platform, silently stealing users' cryptocurrency by replacing the crypto wallet address on the clipboard. With 4,604 users in Russia affected from January to March 2025, will this threat spread globally? Let's explore the details.


ClipBanker: Sophisticated 'Wallet Address Replacement' Malware

According to a report from #Kaspersky on the SecureList blog, this malware is disguised as add-ins for Microsoft Office on SourceForge – a reputable website specializing in providing open-source software. When users download and install it, the malware installs ClipBanker on the device. ClipBanker operates by monitoring the user's clipboard, replacing the cryptocurrency wallet address that the user copies with the attacker's wallet address.


Most crypto wallet users often copy and paste wallet addresses instead of manually entering them, which allows for the address replacement to go unnoticed. As a result, the victim's money will be sent to the attacker's wallet without their knowledge. Kaspersky warns: 'Users often do not notice the change until the money has been sent elsewhere contrary to their original intention.'


Infection Method: Sophisticated Spoofing on SourceForge

Although #SourceForge is a legitimate platform, the attacker exploited the reputation of this site to distribute malware. Specifically, they created a download link that appears valid, but actually redirects users to another page containing the malware. This fake installer is 700MB in size, but most of it is junk files to mislead users. The actual malware only takes up 7MB.


Kaspersky's report states that the malware's source code is written in Russian, with 90% of potential victims being users in Russia – a total of 4,604 people affected from early January to late March 2025. However, the download page is written in English, indicating that the attacker could expand their reach beyond Russia, targeting users globally.


Serious Consequences: Not Just Losing Crypto

Kaspersky emphasizes that the threat does not stop at stealing cryptocurrency. This malware also deploys a cryptocurrency miner on the victim's device, using computer resources to generate profits for the attacker. Furthermore, the methods used by the attacker to maintain access are quite notable. Kaspersky states: 'The attacker uses multiple methods, including unconventional ones, to maintain access to the infected system.'


More dangerously, the attacker can sell access to the victim's system to more dangerous criminal organizations. This can lead to more severe attacks, such as stealing personal data, deploying ransomware, or using the victim's device in botnet campaigns.


Warning from Kaspersky: Be Cautious with Download Sources

Kaspersky advises users not to download software from untrusted sources. 'If you cannot download software from an official source for any reason, remember that searching for alternative download options always comes with higher security risks,' the report states. This is especially important in the context of a crypto market facing numerous threats, with similar campaigns previously recorded – such as the fake Tor Browser malware that stole $400,000 in 2023, according to Kaspersky.


Impact on the Crypto Market

This incident raises security concerns in the cryptocurrency market, which has already seen an 11.65% decline in capitalization (2.88 trillion USD) in Q1 2025. Bitcoin and Ethereum are also under pressure, dropping 14% and 50%, respectively. The rise of threats like ClipBanker could undermine investor confidence, especially among individual users – the most vulnerable group due to a lack of in-depth security measures.


Conclusion: Protecting Crypto Wallets in the Age of Cybercrime

The ClipBanker malware on SourceForge serves as a serious warning for crypto users: always carefully check the wallet address before transacting and only download software from trusted sources. With 4,604 victims in Russia from January to March 2025 and the risk of global expansion, this threat shows that cybercrime is becoming increasingly sophisticated. In the context of a volatile crypto market, protecting digital assets has never been more important. Are you ready not to become the next victim?


Risk warning: Crypto trading carries high risks due to price volatility and cybersecurity threats. Always stay vigilant and implement necessary security measures. #anhbacong