HUMINT Operations Uncover Cryptojacking Campaign: Discord-Based Distribution of Clipboard Hijacking Malware Targeting Cryptocurrency Communities
released on 2026-01-15 @ 05:16:58 PM
A sophisticated cryptocurrency theft operation, orchestrated by the threat actor 'RedLineCyber', has been uncovered. The actor distributes a malicious executable named 'Pro.exe', a Python-based clipboard hijacking trojan designed for silent cryptocurrency theft. This malware continuously monitors the Windows clipboard for cryptocurrency wallet addresses and substitutes them with attacker-controlled addresses. The threat actor exploits trust within Discord communities focused on gaming, gambling, and cryptocurrency streaming. The malware demonstrates moderate technical complexity, using obfuscated Python bytecode and base64-encoded regular expressions for wallet detection. It targets cryptocurrency streamers, casino gaming communities, and users who frequently handle digital asset transactions during live broadcasts. The operation has successfully compromised multiple victims across six major cryptocurrencies.