malware🌐InternationalBleepingComputer
Hacker arrested for KMSAuto malware campaign with 2.8 million downloads
Tuesday, December 30, 2025
What
A hacker distributed clipper malware via a malicious version of KMSAuto, an illegal Windows/Office activator, to steal cryptocurrency by swapping wallet addresses on victims' clipboards. This highlights the significant risks associated with using pirated software, which often serves as a vector for various cyber threats.
Where
Affected systems were worldwide, with the investigation led by South Korea. The perpetrator is a Lithuanian national, arrested in Georgia, and the malware targeted at least six cryptocurrency exchanges.
When
Malware distributed from April 2020 to January 2023. Investigation began August 2020, leading to an arrest in April 2025.
Key Factors
- •The attacker leveraged the popular illegal activation tool KMSAuto to distribute clipper malware, which specifically targeted and replaced cryptocurrency wallet addresses copied to the clipboard.
- •The campaign infected 2.8 million systems globally, resulting in the theft of approximately $1.2 million (KRW 1.7 billion) across 8,400 transactions from 3,100 virtual asset addresses.
- •The international investigation, coordinated by Interpol and led by the Korean National Police Agency, spanned several years, culminating in the arrest and extradition of the Lithuanian suspect.
Takeaways
- →Users must strictly avoid downloading and using unofficial or pirated software activators like KMSAuto, as they are frequently used as a primary vector for malware distribution.
- →Always verify the digital signature and source integrity of any executable files, especially those not obtained from official vendors, to prevent clipper malware and other infections.
