Lithuanian suspect arrested over KMSAuto malware that infected 2.8M systems

A Lithuanian national was arrested for allegedly spreading KMSAuto malware that stole clipboard data and infected 2.8 million Windows and Office systems.

A Lithuanian man (29) was arrested for allegedly spreading KMSAuto-based clipboard-stealing malware that infected about 2.8 million Windows and Office systems.

The man was extradited from Georgia to South Korea under Interpol coordination. Authorities say he trojanized the KMSAuto piracy tool to distribute clipper malware that monitored victims’ clipboards for cryptocurrency addresses and replaced them with attacker-controlled wallets, redirecting crypto transactions without users’ knowledge.

According to the Korean National Police Agency, the suspect used KMSAuto to lure victims into downloading a malicious executable that scanned the clipboard for cryptocurrency addresses and replaced them with ones controlled by the attacker – known as ‘clipper malware’.

According to the Korean National Police Agency, the suspect added malware to the KMSAuto tool that checked clipboard contents for cryptocurrency addresses and changed the destination address to one controlled by the attacker. This type of threat is called clipper malware.

From 2020 to 2023, malware disguised as the illegal Windows activator KMSAuto was downloaded about 2.8 million times worldwide. The clipper malware replaced crypto wallet addresses during transactions, enabling theft via 8,400 transfers from 3,100 wallets, totaling about ₩1.7 billion. Eight South Korean victims lost ₩16 million, with infections traced to pirated software.

“Between April 2020 and January 2023, the suspect distributed malware disguised as an illegal Windows activation tool known as KMSAuto. The malicious software was downloaded approximately 2.8 million times worldwide, including in South Korea.” reads the press realese issued by the Korean police. “Investigators identified 3,100 compromised cryptocurrency wallet addresses, which were used in 8,400 transactions to steal virtual assets worth approximately 1.7 billion won. Eight South Korean victims were confirmed, suffering combined losses of about 16 million won.”

In August 2020, police launched an investigation after a victim lost 1 Bitcoin, worth about 12 million won, when malware automatically replaced the intended wallet address with one controlled by a hacker during a transaction. The infection came from KMSAuto, an illegal Windows activation tool downloaded online. Investigators uncovered a large-scale international operation targeting exchanges and companies across six countries, traced illicit crypto flows, and identified a Lithuanian suspect. With the help of international partners, police seized the suspect’s devices, issued an Interpol red notice, and arrested the suspect in Georgia.

“Various damages caused by malicious programs To prevent this, you should be careful with programs from unknown sources..”saying,“In the future too Police are working with law enforcement agencies around the world to combat borderless cybercrime. We plan to respond strictly, including repatriation.”. Park Woo-hyun, cyber investigation director at the National Police Agency, said.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)