Skip to main content
Mallory
Back to malware
Malware

CryptoRipper

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

The social-engineering campaign combines a core WordPress-based phishing site, GitHub and SourceForge repos hosting the malware, YouTube channels promoting the malware, VirusTotal upvotes and comments and press releases posted to legitimate news sites.

Stealth

1 technique
T1036MasqueradingEvidence1

The threat actor advertises fake software offering a competitive edge to crypto traders and players of online gambling games... The fake software being advertised mainly include “sniper bots” for Solana and Pump.fun... an “Aviator Predictor”... and other predictor tools.

Collection

1 technique
T1115Clipboard DataEvidence1

The clipboard hijacker payload constantly monitors changes to users’ clipboard contents for cryptocurrency wallet addresses and replaces them with the attacker’s wallet addresses to steal crypto transfers.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
scworldNews
Jun 18, 2026
Malware campaign uses VirusTotal manipulation, legitimate news sites to gain reputation | news | SC Media

A Bitcoin-stealing malware/tool associated with cryptocurrency theft. The broader campaign described uses clipboard hijacking to replace copied wallet addresses with attacker-controlled addresses.

Read more
checkpoint research blogNews
Jun 17, 2026
From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker - Check Point Research

A malicious crypto-related clipper/bitcoin stealer tool referenced as being shared by the actor on a hacking forum.

Read more
socradar blogNews
Dec 22, 2025
PSN Satellite Data Re-Listed, CryptoRipper Tool, and Chromium 0-Day Advertised

CryptoRipper is a cryptocurrency-stealing malware tool designed to exfiltrate various cryptocurrencies from infected devices. It features a builder for custom payloads, persistence mechanisms, and anti-kill features.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.