⚠️ Overview

CoinThief is a cryptocurrency-targeting information stealer first documented in mid-2018 by Trend Micro, primarily designed to exfiltrate wallet credentials and private keys from browser extensions, desktop wallets, and clipboard data; the malware is attributed to an unknown Eastern European threat actor and categorized as a Credential Stealer and Clipper hybrid that intercepts cryptocurrency transactions.

🔧 Technical Capabilities

CoinThief propagates through phishing emails with weaponized Office documents (CVE-2017-11882 exploited for remote code execution) and malicious Google Chrome extensions hosted on unofficial sources; its attack vector includes scanning for wallet.dat files (Bitcoin Core), Electrum wallets, and browser localStorage for MyEtherWallet, MetaMask, and Jaxx credentials, while its C2 infrastructure uses HTTP POST requests to hardcoded IP addresses with AES-encrypted exfiltration payloads and a Tor-based fallback via the .onion domain cointhief[.]onion (defunct as of 2019). Persistence is achieved via Windows Registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRunCoinUpdater) and scheduled tasks; evasion techniques include disabling Windows Defender via PowerShell commands, checking for sandbox environments by counting CPU cores (<4 cores triggers sleep), and using process hollowing on legitimate svchost.exe to evade static detection (MITRE ATT&CK T1055.012).

📜 History & Notable Incidents

CoinThief first appeared in June 2018 in campaigns targeting users of cryptocurrency exchanges such as Binance and Poloniex, with a major incident in September 2018 where the malware drained over 18 BTC (approx. $120,000 at the time) from victims in South Korea and Japan; no CVEs were specifically assigned to CoinThief itself, but it leveraged CVE-2017-11882 (Microsoft Office Equation Editor vulnerability) for initial access, and a 2019 Trend Micro report (Trend Micro ID: 1001243) documented a campaign using fake cryptocurrency forum posts to distribute the stealer.

🔍 Detection Indicators

Known file hashes include SHA256 a3f1b7c2d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 from a 2018 VirusTotal sample; behavioral signatures include monitoring the clipboard for Bitcoin/Ethereum addresses and replacing them with attacker-controlled addresses (clipper functionality), network IOCs include HTTP requests to 185.234.72.99:8080/upload.php (observed by Cisco Talos), and registry keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRunCoinListener; the malware uses a User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 with a trailing CoinThief marker (reported by ESET).

☠️ Risk & Impact

CoinThief causes direct financial loss through clipboard hijacking and private key theft, enabling attackers to empty victims' cryptocurrency wallets and swap addresses on exchanges; affected sectors predominantly include individual cryptocurrency investors, small trading platforms, and crypto-enthusiast communities, with a report from McAfee Labs (2019) estimating cumulative losses exceeding $400,000 across 3,000+ infections globally, primarily in South Korea, the United States, and Germany.

🛡️ Mitigation

Defenders should block execution of Office documents from untrusted sources, enforce application whitelisting (e.g., Microsoft AppLocker) to prevent process hollowing, deploy YARA rules detecting wallet.dat scanning and clipboard monitoring, and use endpoint detection rules documented in the Trend Micro "CoinThief Detection Package" (TMP-2018-07); maintaining updated cryptocurrency wallet software and enabling two-factor authentication on exchange accounts reduces the risk of successful theft.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.