Official KMSPico Malware TheAlmightyRedditor

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CryptBot Malware Source Code

The CryptBot is malware which can commonly be downloaded when pirating software, such as Windows license circumvention. Once downloaded, the software will report information from multiple programs including common cryptocurrency wallets. While multiple victims have lost funds, in this case it appears that $30k was lost. No funds appear to be recovered, though they have been extensively traced through multiple blockchains.

This is a global/international case not involving a specific country.^[1][2]

About TheAlmightyRedditor

TheAlmightyRedditor is a Reddit user.

About KMSPico

"KMSPico is a tool used to activate the full features of Microsoft Windows and Office products without actually owning a license key. It takes advantage of Windows Key Management Services (KMS), a legitimate technology introduced to license Microsoft products in bulk across enterprise networks. Under normal circumstances, enterprises using legitimate KMS licensing install a KMS server in a central location and use Group Policy Objects (GPO) to configure clients to communicate with it. KMSPico, on the other hand, emulates a KMS server locally on the affected system to fraudulently activate the endpoint’s license."

The Reality

CryptBot is a "typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2." "Cryptbot combines complex evasion techniques and a rather simple social-engineering based distribution strategy to produce an interesting method of attack that manages to stay relatively hidden in the current malware landscape."

"Cryptbot, an infostealer that takes victims’ cryptocurrency wallet and account credentials, was the most prolific malware family in the group, raking in almost half a million dollars in pilfered Bitcoin. Another prolific family is QuilClipper, a clipboard stealer or “clipper,” ranked eighth on the graph above. Clippers can be used to insert new text into the “clipboard” that holds text a user has copied, usually with the intent to paste elsewhere. Clippers typically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to send funds — the clipper malware effectively hijacks the transaction by then substituting an address controlled by the hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker."

"Cryptbot is capable of collecting sensitive information from Atomic cryptocurrency wallet, Avast Secure web browser, Brave browser, Ledger Live cryptocurrency wallet, Opera Web Browser, Waves Client and Exchange cryptocurrency applications, Coinomi cryptocurrency wallet, Google Chrome web browser, Jaxx Liberty cryptocurrency wallet, Electron Cash cryptocurrency wallet, Electrum cryptocurrency wallet, Exodus cryptocurrency wallet, Monero cryptocurrency wallet, MultiBitHD cryptocurrency wallet, Mozilla Firefox web browser, CCleaner web browser, and Vivaldi web browser."

"CryptBot is an Infostealer that is being distributed through malicious websites disguised as software download pages. Because there are multiple malicious websites created and many of them appear on the top page when keywords such as cracks and serials of popular commercial software are entered in search engines, many users are subject to download the malware and run it. In addition, the sample uses the SFX packing, making difficult to distinguish between normal and malicious files, and changes occur multiple times a day."

"In this latest campaign, Cryptbot is delivered as a Trojan malware. Consistent with the ancient trojan horse, the info-stealer hides within legitimate software in order to be installed by its victims. Over its year of activity, it has been disguised as an installer of a free VPN application and as an installer of legitimate commercial software. Delivered either by itself or bundled with other malicious applications. For example, users looking for cracked versions of PhantomPDF editor, Adobe Illustrator or Malwarebytes AV have found themselves installing the info-stealer instead of their preferred programs. The sample we’ve encountered claimed to be an installer for the Glary Utilities suite that consists of several utilities for Windows optimization and cleanup."

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

"I just downloaded without scrolling down, I've been torrenting since 2008 and have never had an issue so negligence on my part, I didn't scroll through the site just downloaded! I'm dumb. I know."

"Downloaded" "[m]alware from official-kmspico.com" "then went to bed woke up and my [cryptocurrency] was gone, then did some research on kmspico like searching on Reddit kmspico and found a ton on other threads confirming." "Downloaded at 10pm woke up in the morning and all was gone." "Apparently the one from official-kmspico.com is known to contain malware. Reddit search kmspico and a lot of folks are saying that the normal kmspico has been around forever and should be fine."

Technical Details

Blockchain Transactions: ^{[8][9][10][11][12][13][14][15]}

"It seems to be some sort of network of scammers. I downloaded malware from official-kmspico.com so from a different source however the funds were transferred to this wallet. I think this is actually something larger than just one hacker/scammer. And based on the number of threads that pop up when you search for kmspico on Reddit I have a feeling they will be busted soon, especially with linked KYC. You can still doubt and think the guys moon farming that’s fine but I’m giving you plenty of reasons not to think that anymore."

"Downloaded" "[m]alware from official-kmspico.com" "then went to bed woke up and my [cryptocurrency] was gone, then did some research on kmspico like searching on Reddit kmspico and found a ton on other threads confirming." "Downloaded at 10pm woke up in the morning and all was gone." "Apparently the one from official-kmspico.com is known to contain malware. Reddit search kmspico and a lot of folks are saying that the normal kmspico has been around forever and should be fine."

"[T]he breakdown is as follows: You consolidated your Matic from various wallets into this one joint wallet over the past couple of weeks. [A]ll matic drained 3 days ago into [the attacker's] wallet."

"Swap over the Etherscan using the same wallet address and you'll find funded the first transaction of 0x365db, which first purchased Eth use Binance."

"Swap over to Binance Smart Chain and you'll find [an address which] funneled some BNB in from Kucoin and [another] wallet [which] funnels into two others, that connect back to Binance as well, one of which cashes out."

"Swap over to Avalanche and you'll find [a transaction] funneled some AVAX over from Binance, not only to the wallet that stole from you but SEVERAL others as well which all connect back to Binance if you hop a few more times deep."

"It would appear these particular scammers are part of a connected ring to the tune of millions of USD worth of funneled assets of Avax/BNB/ETH etc. The vast majority of the stolen assets are just sitting in a few dozen different wallets that have not connected to any exchanges yet unfortunately."

"The thief used anyswap to swap the MATIC for USDC on a different blockchain. It's an easy way to mask where it ended up. My guess, its on the ethereum blockchain right now...gotta find it." "Here is the next sequence of events for you. You stolen funds are now on the binance smart chain. Likely destined for the Cex for sale." "Thief used anyswap to convert it to USDC on Polygon -> BNB on Binance Smart Chain. Your funds are here and now mixed with the attackers tokens." "Followed the paper trail a bit, looks like the after receiving the tokens they were sent to a wallet that has interacted with WhiteBIT." "Bingo! Binance Hot Wallet." "And while I'm not as sure on this one, it would appear this is their Binance attached wallet. Others report it scamming as well. Looks like it's connected to their BSC scam wallets." "Looks like they've also interacted with KuCoin." "This is their KYC connected wallet. They regularly buy and sell eth using it and fund the scam wallets gas with it. It is connected to cryptodotcom."

Total Amount Lost

TheAlmightyRedditor reports that they lost $30k worth of cryptocurrency.

"This is true[.] I was hacked for 30k a few days ago from the same address[.]" "I got hacked from this same address recently[.] I downloaded malware from official-kmspico.com[.]"

The total amount lost has been estimated at $30,000 USD.

Immediate Reactions

TheAlmightyRedditor "completely reset" their computer, which likely indicates a full reinstall of the operating system. They then reached out for help from the Reddit community.

Post About Situation On Reddit

"It seems to be some sort of network of scammers. I downloaded malware from official-kmspico.com so from a different source however the funds were transferred to this wallet. I think this is actually something larger than just one hacker/scammer. And based on the number of threads that pop up when you search for kmspico on Reddit I have a feeling they will be busted soon, especially with linked KYC. You can still doubt and think the guys moon farming that’s fine but I’m giving you plenty of reasons not to think that anymore."

"Downloaded" "[m]alware from official-kmspico.com" "then went to bed woke up and my [cryptocurrency] was gone, then did some research on kmspico like searching on Reddit kmspico and found a ton on other threads confirming." "Downloaded at 10pm woke up in the morning and all was gone." "Apparently the one from official-kmspico.com is known to contain malware. Reddit search kmspico and a lot of folks are saying that the normal kmspico has been around forever and should be fine."

"This is true[.] I was hacked for 30k a few days ago from the same address[.]" "I got hacked from this same address recently[.] I downloaded malware from official-kmspico.com[.]"

Reset Of Infected Computer

"So far I have [c]ompletely reset my computer and now have an antivirus and firewall that is set to "ask" for new network requests, [r]eset my passwords, [and f]iled a police report." "I filed a police report today and am waiting for a detective to reach out to me, going to try to formulate my case from the get go here and ask to have it escalated to the FBI."

Ultimate Outcome

TheAlmightyRedditor requested help from the Reddit community in tracking down where their funds went on the blockchain.

Follow Up For Community Help

TheAlmightyRedditor posted on the CryptoCurrency subreddit to see if the community could assist in tracing the transactions to potentially identify the thief^[5][6].

Hey all, last post was removed as one of the cryptocurrencies was posted to many times for this sub.

First of all, I've been beating myself over this for the past three days so feel free to send hate but believe me I'm already kicking myself and just won't respond, but I know it'll come so give me all you got.

I downloaded malware from a website I won't link, it was unrelated to cryptocurrency and allowed someone access to my computer. They then accessed my metamask and other accounts and sent my funds to their wallet. So far I have:

- Completely reset my computer and now have an antivirus and firewall that is set to "ask" for new network requests

- Reset my passwords, etc.

- Filed a police report

I am hoping that others can help me cut through the Polygonscan addresses so I can definitively tell the detective where the money lies when I get a follow-up call. I believe I traced it to being sold for USDC on Quickswap and then it was entered into a staking pool. I'm less concerned about the (redacted, CC removed post for mentioning this one) however I will link the transaction address below if anyone wants to help. I've seen others obtain who the scammer was by linking the wallet to an exchange where they had KYC, so that might also be somewhere to start.

"[T]he breakdown is as follows: You consolidated your Matic from various wallets into this one joint wallet over the past couple of weeks. [A]ll matic drained 3 days ago into [the attacker's] wallet."

"Swap over the Etherscan using the same wallet address and you'll find funded the first transaction of 0x365db, which first purchased Eth use Binance."

"Swap over to Binance Smart Chain and you'll find [an address which] funneled some BNB in from Kucoin and [another] wallet [which] funnels into two others, that connect back to Binance as well, one of which cashes out."

"Swap over to Avalanche and you'll find [a transaction] funneled some AVAX over from Binance, not only to the wallet that stole from you but SEVERAL others as well which all connect back to Binance if you hop a few more times deep."

"It would appear these particular scammers are part of a connected ring to the tune of millions of USD worth of funneled assets of Avax/BNB/ETH etc. The vast majority of the stolen assets are just sitting in a few dozen different wallets that have not connected to any exchanges yet unfortunately."

"[T]he easiest way is to track back the original gas deposit, the very first transaction a wallet makes when started, and trace that back to the exchange they purchased from. Alternatively, I like to look for them cashing out, actually sending stolen coins to an exchange, but this usually takes longer as they get better and filtering through disguise wallets or using swaps that the smart contract within lets you send outside the source wallet, which obfuscates the transaction a few levels."

"Deadends come from scammers that obtain their initial "capital" scammer fuel to transact using mining wallets, however I almost never find this as miners generally trust the network concept long term and want to support it while the scammers only want easy in/out in fiat while doing best to cover their tracks as they move on to the next easy money scam. Everything is traceable though with enough patience."

Potential Partnership With Other Victims

TheAlmightyRedditor reached out to PowerOfTheGods, another affected user on Reddit. After noticing that funds had gone to the same wallet address, they speculated that it was the same attacker and they should work together.

"Hey man! I think you DM’d me the other day but I accidentally ignored it. I am [a]ffected by the same hackers. Let’s team up here."

^[7][16]

^[17]

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

The majority of CryptBot installations happen due to downloading pirated software, and it's commonly detected by most anti-malware software. The issue happened due to the use of a pirated Windows installation. A much cheaper alternative is to purchase a discount license key on third party markets.

"You don't have to buy a license directly from Microsoft. You can buy them resale for the amount I listed. My Pro key was $17. Just like you can buy keys for games from retailers other than Steam." "[Y]ou can easily find cheap activation keys for both office and windows (<10$). Yes, they usually come from grey market or whatever but just buy them with a temporary virtual payment card and activate your windows without installing some sh[ad]y software."

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

For the highest security, always store funds offline when not in use, and test any new wallet or environment with a small amount of funds prior to any large transfer or wallet setup.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary issue was that TheAlmightyRedditor did not appear to understand the risk of running their cryptocurrency wallets in an untrusted environment.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

The primary issue was that TheAlmightyRedditor did not appear to understand the risk of running their cryptocurrency wallets in an untrusted environment.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References