Phorpiex, an old threat known for its sextortion spam campaigns, crypto-jacking, cryptocurrency clipping and ransomware spread. In 12 months, 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens were taken; 26 ETH hijacked in one instance.
Phorpiex, a new botnet variant spotted by Check Point Research (CPR), has stolen nearly half a million dollars’ worth of cryptocurrency through a technique called “crypto clipping”. The new variant, named Twizt and a descendant of Phorpiex, botnet known for sextortion and crypto-jacking, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor’s wallet address. Twizt, operates without active command and control servers, meaning each computer that it infects can widen the botnet. CPR estimates that Twizt has taken nearly half a million dollars’ worth of cyptocurrency. New features to Twizt has led CPR to believe that the botnet may become even more stable and, therefore, more dangerous. CPR warns cryptocurrency traders to beware of who they send funds to, as 969 transactions have been intercepted and counting. Twizt can operate without active C&C servers, enabling it to evade security mechanisms.
In 2021, Phorpiex bots were found in 96 countries. Most Phorpiex victims are located in Ethiopia, Nigeria and India.
Since Twizt can operate in peer-to-peer mode, each of the infected computers can act as a server and send commands to other bots in a chain. As a really large number of computers are connected to the Internet through NAT routers and don’t have an external IP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive incoming connections. The new bot uses its own binary protocol over TCP or UDP with two layers of RC4-encryption. It also verifies data integrity using RSA and RC6-256 hash function.
Twizt leverages a technique called “crypto clipping”, which is the theft of cryptocurrency during transactions through the use of malware that automatically substitutes the intended wallet address with the threat actor’s wallet address. The result is that funds go into the wrong hands.
In a one-year period, between November 2020 to November 2021, Phorpiex bots hijacked 969 transactions, stealing 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens. The value of the stolen assets in current prices is almost half a million US dollars. Several times, Phorpiex was able to hijack large amounts transactions. The largest amount for an intercepted Ethereum transaction was 26 ETH. In 2021, the price of Bitcoin and Ethereum increased significantly. The value of the stolen assets in current prices is almost half a million US dollars. However, between April 2016 to November 2021, Phorpiex bots hijacked approximately 3000 transactions with a total value of approximately 38 Bitcoin, and 133 Ether.
The total value of the stolen money could be even higher because other blockchains were not included in this research. The average stolen value in hijacked transactions is not very large and decreases when the cryptocurrency price rises. The following chart shows how the average amount hijacked changes over time.
Alexander Chailytko, Cyber Security Research & Innovation Manager at Check Point Software, says, “There are three main risks involved with the new variant of Phorpiex. First, Twizt uses peer-to-peer model and is able to receive commands and updates from thousands of other infected machines. A peer-to-peer botnet is harder to take down and disrupt its operation. This makes Twizt more stable than previous versions of Phorpiex bots. Second, as well as old versions of Phorpiex, Twizt is able to steal crypto without any communication with C&C, therefore, it is easier to evade security mechanisms, such as firewalls in order to do damage. Third, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero. This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected. I strongly urge all crypto currency users to double check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands.”
- Check wallet address. When users copy and paste a crypto wallet address, always double check that the original and pasted addresses match.
- Test transactions. Before sending large amounts in crypto, first send a probe “test” transaction with minimal amount.
- Stay updated. Keep operating system updated, do not download software from unverified sources.
- Skip the ads. If you are looking for wallets or crypto trading and swapping platforms in the crypto space, always look at the first website in your search and not in the ad. These may mislead you as CPR has found scammers using Google Ads to steal crypto wallets.
- Look at URLs. Always double-check the URLs!