Crypto Clipboard Hijacker Spreads via Elaborate Fake Reputation Campaign on GitHub, YouTube, VirusTotal

A sophisticated social-engineering campaign is leveraging three major online platforms — GitHub, YouTube, and VirusTotal — to create an illusion of legitimacy for a cross-platform clipboard hijacker targeting cryptocurrency users. The malware silently replaces wallet addresses copied to the clipboard with attacker-controlled ones, diverting funds during transactions. Researchers say the operation represents a new level of supply-chain style trust-building that abuses the reputation mechanisms of multiple legitimate services simultaneously.

The clipboard hijacker, written in a cross-platform language such as Python or Rust, runs on Windows, macOS, and Linux. When a user copies what they believe is their recipient's cryptocurrency address — for Bitcoin, Ethereum, or other tokens — the malware intercepts the clipboard data and substitutes a different address controlled by the attackers. Because the substitution happens instantly and the user typically does not double-check the pasted address, the stolen funds are sent to the adversary's wallet before the victim notices anything wrong.

To distribute the malware, the attackers created GitHub repositories that appear to be legitimate open-source projects or tools related to cryptocurrency management. These repositories contain the malware disguised as a utility or update. To boost their credibility, the operators uploaded the same samples to VirusTotal, where they can be seen as having a low detection rate — ironically making the files appear safer to wary users. They also produced YouTube videos demonstrating the fake tool's functionality, complete with positive comments and upvotes likely generated by sock puppets or bots.

This multi-platform reputation laundering is reminiscent of supply-chain attacks where trust is built over time before malicious code is introduced. By seeding positive signals across GitHub stars, VirusTotal scan results, and YouTube engagement, the attackers hope to convince potential victims — often cryptocurrency enthusiasts or traders — that the software is safe. The campaign exploits the fact that many users check VirusTotal before running a binary and rely on GitHub stars as a proxy for trustworthiness.

The campaign is not tied to any single cryptocurrency exchange or wallet vendor, making it a general threat to anyone handling cryptocurrency addresses. Security experts recommend that users manually type or verify wallet addresses through official sources, enable hardware wallet confirmation screens, and avoid downloading cryptocurrency tools from unfamiliar repositories. Organizations with employees handling crypto transactions should enforce endpoint controls that block clipboard-interception malware and monitor for suspicious outbound network connections.

While the full scope of the operation remains under investigation, the abuse of VirusTotal's scan results is particularly concerning because the platform is widely used by security teams to assess file safety. The attackers appear to be gaming the detection engines by submitting clean versions of their tool first, then swapping the binary after several scans — a tactic known as "binary padding" or "versioning" — so that the VirusTotal score shows a history of clean results. This technique has been observed in prior clipboard hijacker campaigns but rarely with such coordinated cross-platform amplification.

As cryptocurrency adoption continues to grow, clipboard hijackers remain a persistent low-tech threat that can inflict high-value losses. This campaign underscores the need for wallet software to implement address verification steps independently of the operating system clipboard, and for users to remain skeptical of tools promoted through fake social proof. Security teams tracking the campaign are advising defenders to block known hashes and domains associated with the repositories and to report the fraudulent GitHub accounts.