A newly discovered form of cryptojacking malware, referred to as MassJacker, is specifically targeting users involved in piracy and taking over cryptocurrency transactions by altering stored addresses. This information comes from a report published on March 10.
The origins of this malware can be traced back to the website pesktop[dot]com, where individuals looking to download pirated software might inadvertently infect their devices with MassJacker. Once the malware is on a device, it replaces crypto addresses saved in the clipboard application with those under the attacker’s control.
Data indicates that there are 778,531 unique wallets associated with the heist, though only 423 of these wallets have held crypto assets at any given time. The cumulative value of cryptocurrency that has been either stored or transferred from these wallets reached $336,700 as of August. However, the actual scale of the theft might be either greater or lesser than indicated.
One specific wallet appeared notably active, containing just over 600 Solana (SOL), valued at around $87,000 during the analysis, and it had a record of holding non-fungible tokens (NFTs) such as Gorilla Reborn and Susanoo.
An investigation into this wallet through Solana’s blockchain explorer reveals a history of 1,184 transactions starting from March 11, 2022. Besides transfers, the wallet’s owner engaged in decentralized finance activities in November 2024, swapping various tokens such as Jupiter (JUP), Uniswap (UNI), USDC (USDC), and Raydium (RAY).
### Targeting Various Devices with Crypto Malware
Crypto malware is not a recent phenomenon. The first publicly accessible cryptojacking script surfaced in 2017 and since then, attackers have targeted a range of devices across different operating systems.
In February 2025, Kaspersky Labs reported the detection of crypto malware embedded in app development kits for both Android and iOS, with the capability to scan images for cryptocurrency seed phrases. Additionally, in October 2024, cybersecurity firm Checkmarx uncovered crypto-stealing malware within a Python Package Index, a platform utilized by developers to share and download code. Other forms of crypto malware have also posed threats to macOS devices.
In contrast to traditional tactics that require victims to open suspicious PDF files or download infected attachments, attackers are adopting more cunning strategies. One emerging technique involves fake job scams, where the attacker lures the victim with job offers. During a virtual interview, the attacker manipulates the victim into “fixing” issues with their microphone or camera, which is, in fact, the means to install malware that can subsequently deplete the victim’s cryptocurrency wallet.
The “clipper” attack—where malware changes cryptocurrency addresses saved to the clipboard—is less recognized than ransomware or data-stealing malware, yet it presents advantages for cybercriminals as it operates stealthily and often remains undetected in sandbox environments.