A massive cryptojacking operation has been silently stealing digital assets from hundreds of thousands of victims since early 2025. Dubbed “MassJacker” by cybersecurity firm CyberArk, this malware has targeted over 778,000 cryptocurrency wallets through a deceptively simple yet effective technique: clipboard hijacking. It’s not rocket science. You copy a wallet address, MassJacker swaps it with the attacker’s address, and boom—your crypto is gone forever.
The infection chain begins at pesktop[.]com, a sketchy site hosting pirated software. Once downloaded, a command script triggers a PowerShell script that fetches the Amadey bot and two loader files. These loaders work together to inject the final payload into a legitimate Windows process. Sneaky stuff.
Pesktop[.]com serves as the infection ground zero—delivering a cascade of malicious scripts that ultimately nest the MassJacker payload within legitimate processes.
What makes MassJacker particularly nasty is its evasion tactics. It uses Just-In-Time hooking, custom virtual machines, and obfuscation techniques that drive security researchers crazy. The malware monitors your clipboard for cryptocurrency addresses using regex patterns and instantly replaces them with attacker-controlled wallets. Your money, their pockets.
The scale is staggering. Researchers found 423 wallets linked to the operation containing $95,300 at the time of analysis. One Solana wallet alone accumulated over $300,000. The true damage is likely much higher.
Victims never suspect a thing. They think they’re sending funds to their intended recipient, but they’re actually funding criminals. The transactions are irreversible, of course. Once it’s gone, it’s gone.
MassJacker targets multiple cryptocurrencies across various blockchains. Bitcoin, Ethereum, Solana—they’re not picky. If you can trade it, they can steal it. This type of attack follows a similar pattern to address poisoning techniques identified by security researchers.
The whole operation appears to be running as a malware-as-a-service model, meaning multiple criminal groups could be using it. Great. Just what the crypto world needed—more scammers with better tools. Small businesses are particularly vulnerable to these attacks, with zero trust architecture becoming essential for protecting digital assets of any size.
For now, MassJacker continues to operate in the shadows, exploiting users who simply want to move their digital assets from one place to another. Experts strongly recommend using hardware wallets to protect valuable cryptocurrency holdings from this type of malicious software.
