CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign

Dark Reading Archived Jun 22, 2026 ✓ Full text saved

Attackers are using multiple online channels — including GitHub, YouTube, and VirusTotal — to build an illusion of trust to spread a cross-platform clipboard hijacker.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY REMOTE WORKFORCE THREAT INTELLIGENCE NEWS Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign Attackers are using multiple online channels — including GitHub, YouTube, and VirusTotal — to build an illusion of trust to spread a cross-platform clipboard hijacker. Elizabeth Montalbano,Contributing Writer June 22, 2026 4 Min Read SOURCE: KEREMYUCEL VIA GETTY IMAGES Cybercriminals have created an elaborate, global reputation network — comprised of GitHub repositories, SourceForge projects, bogus YouTube videos, and other online assets — in a wide-scale cryptocurrency heist that targets both Windows and macOS platforms.  While the campaign does not specifically target enterprises, it demonstrates an evolution in how threat actors no longer need to rely on traditional channels of malware distribution and instead can go right to the source using advanced social engineering, according to researchers. Check Point Software uncovered the campaign, which spreads a RUST-based clipboard hijacking malware targeting "users who are looking for shortcuts and quick profits — particularly crypto owners and online crash‑game gamblers and traders who are attracted by promises of automated gains and 'predictable' outcomes," according to a post published last week.  What's arguably most notable about the campaign, however, is not necessarily who it's targeting or the malware itself, but the extensive multichannel promotion that attackers used to convince users that they will have an "unfair advantage" in their crypto activity by downloading their fake tools. Related:Salesforce Data Thefts Continue via Klue App Compromise The ultimate payload of the campaign is a clipboard hijacker that has Windows and macOS versions. Both versions are designed for stealing cryptocurrency from their targets by repeatedly obtaining crypto wallet addresses from their clipboards and maintaining persistence on the compromised device. Cryptocurrencies and platforms targeted include: Bitcoin, Ethereum, Monero, Binance Chain, and Solana, among others. Coordinated Reputation Manipulation The hub of the campaign is a WordPress-based phishing site where cybercriminals offer "tools" such as decryptors that they claim give users an advantage in crypto trading. But the promotion of the malware-hiding downloads extends also to GitHub and SourceForge projects, promoted by fake accounts that provide positive feedback for the projects on their respective platforms.  Additionally, the attackers created a dedicated YouTube channel that uses artificial intelligence (AI)-generated narrators, "suspicious view spikes, and highly positive (likely coordinated) comments," according to the post, all of which further create an illusion of popularity and trustworthiness for the fake tools.  The campaign also uses the malware scanning platform VirusTotal, where some samples from this campaign receive benign votes and "safe" comments. "Combined with the already low detection rate, this creates a misleading impression of safety that can influence both end users and reputation‑based detection systems," according to the post.  Related:INC Ransomware Thrives by Mastering the Basics The researchers discovered threat actors were even going so far as to use a legitimate online news sites to publish fake stories about the release of the decryptor advertised on the phishing site, promoting the tool's fake capabilities and including links back to the phishing page. "It is unclear whether the threat actor published them through paid advertisements that were later removed by the news outlets after being notified of their malicious nature, or whether there is a malicious service — or a set of compromised news outlets — that offers this kind of fraudulent promotion on legitimate websites," Check Point researchers wrote. New Approach to Malware Delivery Eli Smadja, group manager, products R&D at Check Point Software, tells Dark Reading it's definitely unusual for cybercriminals to go to such great lengths to distribute this type of malware, as it is not common to see such a wide range of online reputational sources being used to build trust and credibility. "What makes this unique is how attackers combined multiple trusted platforms to build credibility, even manipulating VirusTotal — typically used by security researchers — to make detections appear as false positives and reinforce a false sense of legitimacy," he says.  Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices This approach demonstrates a paradigm shift in how attackers can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to gain trust with prospective victims and achieve greater success with such campaigns, according to Check Point. "From a user's perspective, the ability to manipulate sentiment and reputation on platforms like VirusTotal marks an important evolution in how threat actors shape trust," according to the post. "Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims.  Defending Against Novel Trust Campaigns Given that attackers are expanding their options for how to deliver malware, defenders should regard online reputation with suspicion. Even corporate users can slip malware downloads past enterprise defenses, so security teams also should take heed of the new trust-building strategies used in this campaign, according to Check Point. Recommended actions for security teams include regarding community reputation signals as potentially adversarial, and educating users about cryptocurrency-focused scams promising automated profits, prediction tools, or trading advantages. Endpoint protection solutions also are useful, as they "can help block the malicious code, as the websites promoting it are not inherently malicious," Smadja tells Dark Reading. To help bolster this protection, corporate defenders can monitor for clipboard-hijacking behavior in endpoint detection programs, particularly clipboard listeners interacting with cryptocurrency wallet patterns. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗