New Fake Tor Browser Theft Campaign Steals Over $400,000 In Crypto

By   Olivia William
Writer , Information Security Buzz | Mar 29, 2023 04:10 am PST

Russians and people in Eastern Europe are the targets of an increase in fake Tor Browser installations that hijack clipboards to steal cryptocurrency transactions. Although this assault is not particularly innovative or novel, Kaspersky scientists caution that it is nevertheless widespread and effective, infecting numerous users across the globe.

While these malicious Tor installers target various nations, Kaspersky claims that most mostly target Russia and Eastern Europe. According to the Tor Project itself, we may tie this to the website being blocked in Russia towards the end of 2021, says Kaspersky. With more than 300,000 daily users or 15% of all Tor users, Russia was the second-largest country by the number of Tor users in 2021, according to the latter.

Fake Tor Browser Contains Malicious Installations

The Tor Browser is a customized web browser that enables anonymous web browsing by obscuring users’ IP addresses and encrypting their traffic. Tor can also be used to access unique onion domains, commonly called the “black web,” which are inaccessible via conventional browsers or ordinary search engines and only accessible through Tor.

Owners of cryptocurrencies may utilize the Tor browser to increase their privacy and anonymity when transacting with cryptocurrencies or to access illicit dark web market services that accept cryptocurrency payments.

Trojanized Tor installations are frequently pushed to users in nations where Tor is illegal or marketed as “security-enhanced” variations of the official vendor, Tor Project, making it more difficult to obtain the latter.

According to Kaspersky, these installers include a regular, albeit frequently out-of-date, Tor browser and an additional application concealed inside a password-protected RAR package configured to self-extract on the user’s computer.

The installers feature language packs that let users choose their chosen language, and they are also localized with names like “torbrowser ru.exe.”

The malware is extracted by the archive in the background, executed as a new process, and registered it for system autostart while the default Tor browser starts in the front. Moreover, the malware conceals itself on the compromised PC by using an uTorrent icon.

Based on information from users of its security products, Between August 2022 and February 2023, Kaspersky found 16,000 different permutations of these fake Tor browser installers in 52 different countries. The United States, Germany, China, France, the Netherlands, and the UK have also been seen as targets, albeit the majority are Russia and Eastern Europe.

Kaspersky’s Monthly Infection Detection Rate

It is typical to copy bitcoin addresses to the clipboard before pasting them into another software or webpage because they are lengthy and difficult to enter. The malware scans the clipboard using regular expressions for recognizable crypto wallet addresses. When one is found, it replaces it with a related cryptocurrency address controlled by the threat actors.

The threat actor’s address will be pasted instead of the user’s cryptocurrency address when the user copies and pastes, giving the attacker access to the sent transaction. According to Kaspersky, the threat actor randomly chooses thousands of addresses from a hardcoded list for each malware copy. Tracking, reporting, and banning wallets are difficult as a result.

The cybersecurity firm discovered that they had stolen about $400,000, excluding Monero, which cannot be tracked, after unpacking hundreds of malware samples they had amassed to extract the replacement addresses.

There are very certainly other campaigns using trojanized installers for various applications. However, this money was only taken from one campaign run by a particular malware author. Install software exclusively from reliable/official sources, such as the Tor Project website, to protect yourself against clipboard hijackers.

Safety Concerns

Also, Kaspersky specialists advise users on how to keep cryptocurrencies secure:

  • Software should only be downloaded from reputable websites; whenever possible, stay away from third-party websites and stick to legitimate ones. Before downloading any software, be sure it is real.
  • Update your software regularly. Make sure the most recent security patches and updates are installed on your operating system, browser, and other software. This aids in preventing the exploitation of known vulnerabilities.
  • Employ security tools: a solid security tool will shield your gadgets from a variety of dangers. Every bitcoin malware, both known and new, is avoided by Kaspersky Premium
  • Use caution when opening email attachments and links. Never open attachments or click links from questionable or unknown sources since they can be infected with malware.
  • When downloading any program, be sure that it has a digital signature to prove that it is real and has not been tampered with.


Since September 2022, users in Russia and Eastern Europe have been the target of clipper malware that infects fake TOR browser installs and steals cryptocurrency. According to Vitaly Kamluk, director of the global research and analysis team (GReAT) for APAC at Kaspersky, “Clipboard injectors […] can stay silent for years, exhibit no network activity, or any other evidence of presence until the catastrophic day when they replace a crypto wallet address.”

Another noteworthy feature of clipper malware is that it is more evasive because its evil actions are not activated unless the clipboard data meet certain conditions. It could be clearer how the installers are delivered. Still, evidence suggests that it may be through torrent downloads or some other unidentified third-party source, given that Russia has recently imposed blockades on the Tor Project website.

Regardless of the technique employed, the installer starts the genuine executable and also the clipper payload, which is intended to watch the contents on the clipboard. The clipboard’s contents are scanned using a set of embedded regular expressions if they contain text, according to Kamluk. If it does, a randomly selected address from a hardcoded list is used in its place.