A twenty-nine-year-old Lithuanian man was recently handed over to South Korean authorities following an international pursuit coordinated by Interpol. The investigation into his activities began several years ago after local reports of suspicious cryptocurrency transfers surfaced. Officials determined that the individual had been operating a sophisticated scheme that targeted users looking for ways to bypass software licensing fees for common operating systems and office suites.

The primary method of infection involved a modified version of KMSAuto, a well-known tool used for the unauthorized activation of Windows products. When unsuspecting users downloaded this version of the software, they unknowingly installed a malicious executable known as clipper malware. This program remained dormant on the system until it detected that a user had copied a cryptocurrency wallet address to their clipboard, at which point it would instantly swap the address for one owned by the hacker.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

Data provided by the Korean National Police Agency indicates that this campaign was active for nearly three years, spanning from early 2020 to the beginning of 2023. During this window, the malware was distributed to approximately 2.8 million systems globally. Because the switch happened silently in the background, many victims did not realize their funds were being diverted until after the transactions had been permanently processed on the blockchain.

The financial impact of the operation was significant, with authorities estimating that the suspect successfully diverted approximately 1.7 billion Korean won, which translates to roughly 1.2 million U.S. dollars. These funds were gathered across more than eight thousand individual transactions, affecting thousands of unique digital asset addresses. The scale of the theft highlights the high risks associated with using unofficial or pirated software tools which often serve as delivery mechanisms for persistent threats.

Following the initial report of cryptojacking in late 2020, South Korean investigators tracked the digital footprint of the stolen assets and worked with international partners to locate the suspect in Georgia. His extradition marks a major milestone in the case as he now faces legal proceedings in Seoul. This incident serves as a warning to the public regarding the dangers of downloading executable files from unverified sources, as these tools can easily bypass standard security intuition by providing a desired service while simultaneously compromising the user’s financial security.

Source: Hacker Arrested For KMSAuto Malware Campaign With 28 Million Downloads