Cryptocurrency market players have seen rapid ups and dramatic downs of Bitcoin price over the past few years. Having taken a [nosedive](https://en.m.wikipedia.org/wiki/History_of_bitcoin) from nearly $20,000 down to $6,000 in 2017–2018, and even below a $4,000 threshold in early 2019, the value of this popular crypto coin started bouncing back this spring and reached $8,000. Furthermore, experts [predict](https://www.ccn.com/bitcoin-price-will-triple-to-20000-by-2021-investment-bank-canaccord) a new BTC boom in another two years’ time.

Whereas the recent trend looks promising for hungry investors, it appears to have also become a major driving force for cybercriminals to reactivate their shenanigans in the Bitcoin ecosystem. In the not-so-distant past, cryptocurrency fans have been mostly targeted by fraudulent ICOs (Initial Coin Offerings), phony coin exchange offers, and Ponzi schemes. Now, the scams have gotten an extra flavor of malware. The examples below shed light on the new tricks in crooks’ portfolio.

**Bitcoin fraud pushing ransomware**

A scam wave [discovered](https://twitter.com/x42x5a/status/1130421342782857217) in late May 2019 has been disseminating ransomware and, more recently, an info-stealing infection under the guise of a utility called Bitcoin Collector. The sketchy offer is marketed as a way to earn $15–30 in Bitcoin by simply running the software and with no strings attached. Furthermore, the con artists promise 3 Ethereum (about $735) for 1,000 leads to their site via one’s personal referral link.

The ability to make crypto coins instantly and with hardly any efforts is a catch that can easily get people on the hook. Once a user clicks to proceed, they are forwarded to the Bitcoin Collector app download link. To add some ostensible legitimacy to the stratagem, the page provides a VirusTotal link supposedly proving that the file has a zero detection rate. However, this dummy check is there just for show and it has nothing to do with the resulting malicious payload.

The dodgy download is a ZIP file which, when extracted, includes a bevy of items. One of them is a binary named BotCollector.exe that executes the rogue Bitcoin generator. In fact, though, the booby-trapped “Freebitco.in — Bot” program fires up a final-stage malware payload. In most cases, it’s a ransomware sample called Marozka Tear Ransomware. This pest finds and encrypts most of the victim’s personal files, staining them with .Crypted extension. It drops a ransom note that provides further instructions on data recovery through payment. This is certainly an adverse scenario, but there is some good news for those infected. The culprit turned out to be a spinoff of the notorious open-source Hidden Tear ransomware, which means it can be [decrypted for free](https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-hiddentear-ransomware-variants/).

In some cases, though, the payload launched via the Bitcoin Collector scam can be an info-stealer. The one currently in rotation is called Baldr. When the attack is underway, the infection reaches out to the criminals’ C2 servers and awaits commands regarding the types of data to harvest on the contaminated host. Baldr is capable of collecting and exfiltrating authentication details for websites and browsing history. To top it off, it can take screenshots and steal arbitrary files. Given the multitude of this Trojan’s shady characteristics, being infected with the above-mentioned ransomware appears to be the lesser of two evils.

**Fishy YouTube videos bolstering malware-riddled Bitcoin scam**

Those seeking quick and easy cryptocurrency gain are the target audience of [another Bitcoin scam](https://www.newsbtc.com/2019/05/29/crypto-scam-alert-youtube-videos-promoting-bitcoin-generator-really-pushing-malware/) making the rounds on YouTube. The malicious actors have been advertising Bitcoin generator software that allegedly allows users to earn coins in an effortless way. As opposed to the above scheme, this campaign relies on YouTube videos that describe the deal as the best thing since sliced bread and provide links to download the tool.

However, these claims are nothing but a smokescreen that dupes people into downloading a Trojan codenamed [Qulab](https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/). The harmful payload is hosted on pCloud encrypted storage platform. When launched, it performs thorough reconnaissance on the host. In particular, the Qulab Trojan pilfers login credentials for websites and gaming related services such as Steam and Discord. It also scours FileZilla FTP app for saved authentication data, steals browser cookies and cryptocurrency wallet information.

One of Qulab’s most unsettling features is that it tampers with Windows clipboard. The malware keeps track of information that the victim copies to the clipboard, focusing on items that fit the mold of a typical cryptocurrency address. When a match is found, the Trojan covertly replaces it with another address so that the funds go to the perpetrators instead of the right recipient whenever the user is sending Bitcoin.

**The shutdown of major mixer site making crooks’ lives harder**

In May 2019, the Dutch Fiscal Information and Investigation Service seized one of the world’s largest Bitcoin mixing services known as BestMixer.io. This was a [well-coordinated operation](https://www.europol.europa.eu/newsroom/news/multi-million-euro-cryptocurrency-laundering-service-bestmixerio-taken-down) additionally involving Europol and Luxembourg authorities. It ensued from an almost year-long investigation conducted by the Dutch law enforcement in collaboration with McAfee security firm.

Mixer websites, or tumblers, are often leveraged by criminals to launder ill-gotten funds. They scramble the flow of cryptocurrency for a fee to conceal its true origin from authorities. Having been launched in May 2018, BestMixer.io reportedly reached a turnover of $200 million in a year. As per the investigators’ findings, a considerable portion of this amount stemmed from criminal sources.

The anti-laundering initiative led to a seizure of six servers associated with the mixer, which stopped its fraudulent activity in its tracks. Obviously, malefactors now have to look for alternative methods to obfuscate their illegal Bitcoin transactions.

**Bitcoin scam protection tips**

Before deciding on trading strategies and participating in any enticing blockchain venture, companies and ordinary users are strongly recommended to scrutinize its reputation, look for opinions of renowned market influencers, and read the fine print to identify potential red flags. Various Bitcoin “generators” and “collectors” that promise instant revenue are most likely to cloak dangerous ransomware or spyware payloads. Businesses should refrain from investing in Bitcoin projects that purportedly guarantee quick ROI and profits — these claims often accompany ICO exit scams and pyramid schemes. All in all, if a cryptocurrency offer looks too good to be true, the rule of thumb is to stay away from it.

<a href="https://medium.com/media/3c851dac986ab6dbb2d1aaa91205a8eb/href">https://medium.com/media/3c851dac986ab6dbb2d1aaa91205a8eb/href</a>

Flow

Instantly

Target

Twitter

YouTube

Too Long; Didn't Read

Build JavaScript blockchain apps easily with Lisk

New Bitcoin Scams to Look out for

Too Long; Didn't Read

Companies Mentioned

Coin Mentioned

@david.w.balaban

RELATED STORIES