A new malware campaign has been identified that swaps major cryptocurrency wallet addresses, including those for bitcoin (BTC) and XRP, with attacker-controlled addresses. It uses a more advanced method than existing clipper malware, using browser extensions and remote servers to evade detection.
On July 1, blockchain outlet U.Today reported that McAfee Advanced Threat Research said it found a new crypto-stealing malware it named Silent Swap.
At the core of Silent Swap is intercepting a cryptocurrency wallet address a user copies and replacing it with an address specified by the attacker. Unlike typical clipper malware that uses wallet addresses pre-stored inside the malware, Silent Swap operates through a browser extension and pulls wallet addresses in real time from an attacker-controlled backend server.
Researchers described this as a "Server-side Wallet Mapping" technique. If a string copied in the browser matches the wallet address format for supported cryptocurrencies such as bitcoin, ethereum (ETH), XRP, bitcoin cash (BCH) and dash (DASH), the malicious extension queries the server, retrieves a new wallet address and automatically replaces it.
Infections mostly begin when a user runs an unsigned .NET- or Go-based installer file. Such installers were often distributed disguised as free software or cracked versions. After infection, a malicious browser extension is installed that masquerades as a legitimate program named "Google Note".
The malware mainly targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave and Opera. Investigators found it tampers with browser configuration files to forcibly insert the extension, then recalculates and updates security data used to verify extension integrity, bypassing security checks. The installed extension obtains broad permissions and runs persistently inside the browser.
Its command-and-control (C2) method also differs from existing malware. Instead of storing a C2 server address directly inside the malware, attackers used the EtherHiding technique to deliver server information through distributed infrastructure, making tracking more difficult.
McAfee researchers assessed Silent Swap as a case that combines advanced browser manipulation techniques with a distributed command-and-control infrastructure. They said it is harder to detect and block than existing clipper malware.
So far, confirmed damage has occurred in multiple regions, with infections concentrated in India. The overall scale of infections and the amount of losses were not disclosed.
Experts analysed the case as showing crypto-stealing techniques evolving beyond simple clipboard monitoring toward targeting the browser security structure itself. They stressed that because wallet addresses are automatically changed inside the browser after users run installer files they mistake for legitimate programs, it is important for prevention to always check the final recipient address before sending cryptocurrency.