A stealthy botnet that has infected computers in nearly 100 different countries is silently stealing cryptocurrency from its victims. From November 2020 to November 2021 it hijacked nearly $500,000.
The Phorpiex botnet has been operating since 2016 and is made up of hundreds of thousands of compromised devices. Back in 2019 it was grabbing headlines for an alarmingly successful sextortion email campaign that was raking in $20,000 a month for its criminal controllers.
Phorpiex also has the ability to steal cryptocurrency, which it does by “crypto-clipping.” In these attacks, malware on an infected devices waits for cryptocurrency transactions to be take place. When a transaction is detected, the malware clips the original destination wallet address and replaces it with one controlled by the attacker.
According to Check Point Research the Phorpiex crypto-clipper supports more than 30 different cryptocurrencies. Since April of 2016 Phorpiex has hijacked thousands of transactions and swiped around 38 Bitcoin and 133 Ether. At today’s exchange rates that works out to around $2.2 million in stolen cryptocurrency.
From last November until this November alone Phorpiex successfully clipped 969 transactions. Those attacks netted its controller(s) more than $650,000.
This summer, however, the botnet activity suddenly tailed off. In August one of its creators allegedly walked away from cybercrime and the other decided to sell the Phorpiex code to the highest bidder.
Whether or not a sale actually happened, Phorpiex was back a few weeks later with some new tricks. A new variant called Twizt emerged.
One of the biggest differences with Twizt is that the botnet is now able to communicate peer-to-peer. That means it’s not dependent on specific command and control servers. Infected hosts can send instructions to each other.
Twizt has also added a double-encrypted protocol for communication and new data integrity functions. Check Point researcher Alexey Bukhteyev says “The emergence of such features suggests that the botnet may become even more stable and therefore, more dangerous.”
Security researchers had managed to take control of the Phorpiex botnet on a couple of occasions in the past. That could be much, much harder now that Twizt has emerged.