Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which Check Point called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.”
Because of the length of wallet addresses, most systems copy a wallet address and allow you to simply paste it in during transactions. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address.
Researchers with Check Point said they have seen 969 transactions intercepted, noting that Twizt “can operate without active command and control servers, enabling it to evade security mechanisms,” meaning each computer that it infects can widen the botnet.
In the last year, they have seen 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens stolen by Twizt operators, amounting to about $500,000. In one instance alone, 26 ETG was taken. Between April 2016 to November 2021, Phorpiex bots hijacked about 3,000 transactions worth nearly 38 Bitcoin and 133 Ether. The cybersecurity company noted that this was only a portion of the attacks taking place.