Newly Discovered Malware Has Arsenal of Tricks to Help It Steal Crypto

Cybersecurity researchers said "KyberCibule" covertly mines for privacy coin monero and could also steal victims' passwords and divert crypto funds.

AccessTimeIconSep 2, 2020 at 3:58 p.m. UTC
Updated Sep 14, 2021 at 9:51 a.m. UTC

An advanced form of cryptocurrency-targeting malware shared through pirated software and games downloaded from torrent sites poses multiple threats to victims.

  • In a report Wednesday, researchers at Slovakian cybersecurity firm ESET said they had found malicious code within the installer program for media files that contains a cryptocurrency mining bot.
  • Once downloaded, the hidden app starts its mining bot to hijack computer power and mine monero, as well as ether if a GPU card is detected.
  • However, the malware has evolved in its two years of existence to possess other tricks that are more concerning to users of cryptocurrency.
  • Dubbed "KryptoCibule" – a combination of the Czech and Slovak words for "cryptocurrency" and "onion" – the malware can also change a wallet address to one linked to the hacker when pasted from the clipboard, potentially diverting funds sent to the victim.
  • Further, it will hunt for, and steal, cryptocurrency passwords, private keys or key phrases stored on the host machine's hard drive.
  • The malware is spread by users sharing the affected media files on peer-to-peer file-sharing networks.
  • It also updates itself using BitTorrent, which was acquired by Tron in mid-2018, the researchers said.
  • ESET said KryptoCibule had stolen roughly $1,800 in bitcoin and ether by changing victims' wallet addresses.
  • They were unable to determine how much the hacker stole through the mining bot or from stealing passwords.
KryptoCibule evolution
KryptoCibule evolution
  • KryptoCibule likely started operation in late 2018 but has remained hidden till now thanks to being designed to evade detection.
  • KryptoCibules hides in files that work normally, so victims are less likely to suspect anything amiss. It also actively watches for, and hides from, antivirus tools such as Avast.
  • In addition, it contains a command line to the Tor browser that encrypts communications and makes it impossible to trace the mining server behind KryptoCibule.
  • KryptoCibule also monitors the computer's battery so it doesn't consume too much power and thus get noticed.
  • If the battery falls below 30%, KryptoCibule shuts off the GPU miner and runs its monero miner at a much lower capacity. The whole program shuts down should battery go under 10%.
  • Despite its sophistication, ESET said the bot had so far only been downloaded by several hundred computers, mostly based in Czechia and Slovakia.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Read more about