Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign
Dark ReadingArchived Jun 22, 2026✓ Full text saved
Attackers are using multiple online channels — including GitHub, YouTube, and VirusTotal — to build an illusion of trust to spread a cross-platform clipboard hijacker.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
ENDPOINT SECURITY
REMOTE WORKFORCE
THREAT INTELLIGENCE
NEWS
Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign
Attackers are using multiple online channels — including GitHub, YouTube, and VirusTotal — to build an illusion of trust to spread a cross-platform clipboard hijacker.
Elizabeth Montalbano,Contributing Writer
June 22, 2026
4 Min Read
SOURCE: KEREMYUCEL VIA GETTY IMAGES
Cybercriminals have created an elaborate, global reputation network — comprised of GitHub repositories, SourceForge projects, bogus YouTube videos, and other online assets — in a wide-scale cryptocurrency heist that targets both Windows and macOS platforms.
While the campaign does not specifically target enterprises, it demonstrates an evolution in how threat actors no longer need to rely on traditional channels of malware distribution and instead can go right to the source using advanced social engineering, according to researchers.
Check Point Software uncovered the campaign, which spreads a RUST-based clipboard hijacking malware targeting "users who are looking for shortcuts and quick profits — particularly crypto owners and online crash‑game gamblers and traders who are attracted by promises of automated gains and 'predictable' outcomes," according to a post published last week.
What's arguably most notable about the campaign, however, is not necessarily who it's targeting or the malware itself, but the extensive multichannel promotion that attackers used to convince users that they will have an "unfair advantage" in their crypto activity by downloading their fake tools.
Related:Salesforce Data Thefts Continue via Klue App Compromise
The ultimate payload of the campaign is a clipboard hijacker that has Windows and macOS versions. Both versions are designed for stealing cryptocurrency from their targets by repeatedly obtaining crypto wallet addresses from their clipboards and maintaining persistence on the compromised device. Cryptocurrencies and platforms targeted include: Bitcoin, Ethereum, Monero, Binance Chain, and Solana, among others.
Coordinated Reputation Manipulation
The hub of the campaign is a WordPress-based phishing site where cybercriminals offer "tools" such as decryptors that they claim give users an advantage in crypto trading. But the promotion of the malware-hiding downloads extends also to GitHub and SourceForge projects, promoted by fake accounts that provide positive feedback for the projects on their respective platforms.
Additionally, the attackers created a dedicated YouTube channel that uses artificial intelligence (AI)-generated narrators, "suspicious view spikes, and highly positive (likely coordinated) comments," according to the post, all of which further create an illusion of popularity and trustworthiness for the fake tools.
The campaign also uses the malware scanning platform VirusTotal, where some samples from this campaign receive benign votes and "safe" comments. "Combined with the already low detection rate, this creates a misleading impression of safety that can influence both end users and reputation‑based detection systems," according to the post.
Related:INC Ransomware Thrives by Mastering the Basics
The researchers discovered threat actors were even going so far as to use a legitimate online news sites to publish fake stories about the release of the decryptor advertised on the phishing site, promoting the tool's fake capabilities and including links back to the phishing page. "It is unclear whether the threat actor published them through paid advertisements that were later removed by the news outlets after being notified of their malicious nature, or whether there is a malicious service — or a set of compromised news outlets — that offers this kind of fraudulent promotion on legitimate websites," Check Point researchers wrote.
New Approach to Malware Delivery
Eli Smadja, group manager, products R&D at Check Point Software, tells Dark Reading it's definitely unusual for cybercriminals to go to such great lengths to distribute this type of malware, as it is not common to see such a wide range of online reputational sources being used to build trust and credibility.
"What makes this unique is how attackers combined multiple trusted platforms to build credibility, even manipulating VirusTotal — typically used by security researchers — to make detections appear as false positives and reinforce a false sense of legitimacy," he says.
Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
This approach demonstrates a paradigm shift in how attackers can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to gain trust with prospective victims and achieve greater success with such campaigns, according to Check Point.
"From a user's perspective, the ability to manipulate sentiment and reputation on platforms like VirusTotal marks an important evolution in how threat actors shape trust," according to the post. "Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims.
Defending Against Novel Trust Campaigns
Given that attackers are expanding their options for how to deliver malware, defenders should regard online reputation with suspicion. Even corporate users can slip malware downloads past enterprise defenses, so security teams also should take heed of the new trust-building strategies used in this campaign, according to Check Point.
Recommended actions for security teams include regarding community reputation signals as potentially adversarial, and educating users about cryptocurrency-focused scams promising automated profits, prediction tools, or trading advantages.
Endpoint protection solutions also are useful, as they "can help block the malicious code, as the websites promoting it are not inherently malicious," Smadja tells Dark Reading. To help bolster this protection, corporate defenders can monitor for clipboard-hijacking behavior in endpoint detection programs, particularly clipboard listeners interacting with cryptocurrency wallet patterns.
About the Author
Elizabeth Montalbano
Contributing Writer
Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS