Bitcoin-stealing Malware Found in Chinese Printer Driver

Setting up a new printer shouldn’t come with the risk of losing your digital assets. Yet, that’s exactly what happened to users of Procolored’s UV printers. Security experts uncovered a Bitcoin-stealing malware hidden in the official driver, which has been siphoning off 9.3 Bitcoin since October 2023. This malware operates by a clever trick: it swaps wallet addresses in your clipboard with the attacker’s, much like a thief redirecting your delivery to their own doorstep.

• Malware in Procolored printer driver steals Bitcoin
• Active since October 2023, stole 9.3 BTC
• Hijacks wallet addresses via clipboard manipulation
• Part of a broader trend of increasing crypto market security threats

How the Malware Operates

This malicious code, known as Win32.Backdoor.XRedRAT.A, is a type of backdoor malware that can control a computer remotely. It was introduced through infected USB devices as part of a compromised supply chain. Once installed, it silently uploads to cloud storage, making it accessible globally. The malware’s primary theft mechanism is through “clipboard manipulation,” where it replaces wallet addresses copied to the clipboard with the attacker’s address. Imagine copying your friend’s address to send a gift, only to find out it’s gone to a stranger instead.

Discovery and Response

The malware’s existence was first detected by YouTuber Cameron Coward while testing a Procolored UV printer. His findings sparked a broader investigation by cybersecurity professionals, including G-Data and SlowMist. Yu Xian, the founder of SlowMist, confirmed the malware’s presence, stating:

This printer’s official driver comes with backdoor code… which can hijack the wallet address in the user’s clipboard and replace it with the attacker’s own: 1BQZKqdp2CV3QV5nUEsqSglygegLmqRygJ.

Procolored initially dismissed the issue as a false positive, a move that didn’t sit well with the crypto community. They later acknowledged the problem, removed the infected drivers from their storage on May 8, and conducted a thorough rescan of all files. But by then, the damage was done.

A Growing Threat Landscape

This incident serves as a stark reminder of the myriad threats facing the crypto community as the market continues to expand. Over $1.7 billion has been stolen this year alone, with incidents ranging from phishing scams to physical attacks on high-profile figures and mining facilities. The growth of the crypto market attracts more malicious actors, underscoring the need for constant vigilance and robust security measures.

Large crypto holders are now taking unprecedented steps to protect their assets. Hiring private security firms has become common practice to guard against both digital and physical threats. This trend highlights the real-world risks associated with holding significant amounts of cryptocurrency.

The Silver Lining of Decentralization

While incidents like these expose the vulnerabilities in the crypto space, they also drive innovation and the development of stronger, more resilient systems. Decentralized technologies empower users to control their own funds, fostering an environment where security solutions can evolve rapidly. This aligns with the philosophy of effective accelerationism (e/acc), where challenges spur technological advancement.

Protecting Your Bitcoin

For those who have downloaded Procolored printer drivers in the past six months, a full system scan and possibly a system reset are recommended to ensure no lingering threats. Beyond this, consider using hardware wallets, secure communication channels, and staying updated on the latest security best practices. The crypto community must remain alert to the evolving landscape of threats, from malware hidden in printer drivers to physical attacks on crypto whales.

Key Takeaways and Questions

• What was the source of the Bitcoin-stealing malware?

  The malware was introduced through infected USB devices, part of a compromised supply chain, and then uploaded to cloud storage by Procolored.

• How does the malware steal Bitcoin?

  It hijacks wallet addresses on the user’s clipboard, replacing them with the attacker’s address, redirecting any subsequent transactions to the attacker.

• What are the broader security threats facing the crypto market?

  The crypto market faces various threats, including phishing scams, malware, and physical attacks on crypto holders, as the market’s growth attracts more bad actors.

• What steps are large crypto holders taking to protect themselves?

  Large crypto holders are increasingly hiring private security firms to protect against physical threats and abductions.

• When did the malware first become active, and how long has it been stealing Bitcoin?

  The malware first became active in October 2023 and stole Bitcoin until May 2024.

• How can the crypto community protect against similar threats?

  Use hardware wallets, secure communication channels, and stay informed about the latest security best practices to safeguard your digital assets.