Bitcoin stealer malware disguised as application to access MtGox DB

Pierluigi Paganini March 17, 2014

The MtGox data leaked by the popular exchange was invented by hackers to infect a large audience with a Bitcoin stealer malware.

Last month the biggest MtGox exchange filed for bankruptcy after it lost nearly 850,000 Bitcoins, it is a fraud, according an unknown hacker who breached into the personal blog and Reddit account of MtGox CEO, Mark KarpelesAs usual cybercrimeis always ready to exploit any event to monetize its effort.

The hacker also posted the link to the zip file contained data leaked during the attack, it is a 716MB ZIP archive,, which contains the data dump and tools for remote access to MtGox data. Many users have contacted me to receive the file demonstrating the high interest in its content. The problem is that that tool hides a Bitcoin wallet stealing malware as demonstrated in an analysis conducted by Kaspersky Lab expert Sergey Lozhkin that was published on the SecureList blog. 

MTGox bitcoin stealer malware

“But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin stealer malware that takes advantage of people keen interest in the MtGox topic.” said Lozhkin.

The archive contains an application used to deceive users, it appears like an application that give access to databases of MtGox platform, but in reality it is a Bitcoin stealer malware.

We detect the Windows Trojan (MD5:c4e99fdcd40bee6eb6ce85167969348d), a 4.3MB PE32 executable, as Trojan.Win32.CoinStealer.i and OSX variant as Trojan.OSX.Coinstealer.a. Both have been created with the Livecode programming language – an open-source and cross-platform application development language.” according to Kaspersky.

The hacker used a multi-platform Bitcoin  malware that searches for Bitcoin wallet files (bitcoin.conf and wallet.dat files) on the victim’s PC and then send them to the Command and Control server. The Command and Сontrol server for the Bitcoin stealer malware is located in Bulgaria and seems it has been shut down in time I’m writing. 

Resuming the whole story on the MtGox data leaked by the biggest exchange was invented by attackers to infect a large audience of users with a Bitcoin stealer malware. I consider this a case study the capability of cybercrime to adapt its strategy to real life events.

“Malware creators often using social engineering tricks and hot discussion topics to spread malware, and this is great example of an attack on a focused target audience.” reports the post.

Be aware of any unsolicited email from MtGox or any phishing campaign based on the crack of the biggest Bitcoin Exchange.


Pierluigi Paganini

(Security Affairs – MtGox, Bitcoin stealer malware )

you might also like

leave a comment