‘Clipper’ malware is being used to steal crypto, Binance warns

Binance is warning customers that malware is being used to manipulate withdrawal addresses in order to steal cryptocurrency, in a campaign that has led to “significant financial losses for victims.”

The company, which is the largest cryptocurrency exchange in the world, said its security team is in the process of identifying and blacklisting suspicious addresses while also letting victims know if they have been affected by the so-called ‘clipper’ malware. Binance did not respond to requests for comment about how many people have been affected and how much money has been stolen. 

“We have identified a global malware issue that is significantly impacting cryptocurrency transactions by altering withdrawal addresses during the transaction process. This type of malicious software… intercepts data stored in the clipboard, primarily targeting cryptocurrency wallet addresses,” the company said. 

“When a user copies and pastes a wallet address to transfer cryptocurrency, the malware replaces the original address with one designated by the attacker.”

If the user does not notice the change, the crypto is sent to the attacker's wallet. Binance noted that it saw a spike in this kind of activity on August 27, adding that clipper malware is typically distributed through unofficial apps and plugins on Android devices. 

Victims often downloaded these malicious apps accidentally while trying to find software in different languages or through unofficial websites that they use because of restrictions in the country where they live. While Android devices are affected, Binance said iOS users should also be wary.  

Several crypto thefts have been stopped by Binance, according to their statement, and they urged victims to come forward if they believe their cryptocurrency was stolen. 

Researchers have long warned of strains of malware that allow hackers to steal cryptocurrency by swapping out addresses placed onto a victim’s clipboard.

In November, Binance agreed to pay more than $4 billion in settlements with several U.S. law enforcement agencies after years of investigations uncovered widespread criminal use of the platform. 

The Treasury Department said the platform was used by groups like Hamas’ Qassam Brigades, Palestinian Islamic Jihad (PIJ), Al-Qaida, and the Islamic State group— as well as ransomware attackers, money launderers, and other criminals. 

Last month, Binance said its security team recovered $73 million in user funds that were stolen in hacks through July 31. That figure far surpassed the $55 million recovered in 2023. 

Of the $73 million, the vast majority came from hacks or crypto platforms that had been exploited. One-fifth  come from a variety of crypto-focused scams. 

Jimmy Su, chief security officer at Binance, said they have tried to expand collaborations with third-party services to better allow them to track and recover stolen funds.

Chainalysis warned last month that crypto heists are on the rise, with cybercriminals netting nearly $1.6 billion in the first half of 2024, up from $857 million during the same period of 2023.