A Lithuanian citizen has been arrested for allegedly spreading malware to millions of computers by disguising it as KMSAuto, a well-known illegal tool used to activate Windows and Microsoft Office without a license.
South Korean police say the 29-year-old suspect was extradited from Georgia to South Korea with the help of Interpol.
Investigators believe he added malicious code to the fake KMSAuto program and shared it online, tricking users into installing malware on their systems.
Once installed, the malware secretly monitored what users copied to their clipboard. When it detected a cryptocurrency wallet address, it replaced it with a wallet controlled by the attacker. As a result, funds were sent to the wrong address without the victim noticing. This type of attack is commonly known as clipper malware.
According to the Korean National Police Agency, the malware was distributed globally between April 2020 and January 2023. During that time, around 2.8 million infected copies were spread worldwide. Authorities estimate that the attacker stole about KRW 1.7 billion, or roughly $1.2 million, through more than 8,400 cryptocurrency transactions involving about 3,100 wallet addresses.
The investigation began in August 2020 after a victim reported suspicious cryptocurrency activity. Police discovered that the victim’s system had been infected with Clipper malware that altered wallet addresses during transactions. Further analysis traced the infection back to the tampered KMSAuto activation tool.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Investigators found that the malware affected users connected to at least six different cryptocurrency exchanges. By tracking the stolen funds and analyzing digital evidence, authorities were eventually able to identify the suspect.
