Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Attackers Abuse Discord to Deliver Clipboard Hijacker That Steals Wallet Addresses on Paste
Threats

Attackers Abuse Discord to Deliver Clipboard Hijacker That Steals Wallet Addresses on Paste

A new clipboard hijacker is quietly draining cryptocurrency from gamers and streamers by abusing trust inside Discord communities. The campaign centers on a malicious Windows program shared as a...

Sarah simpson
Sarah simpson
January 20, 2026 3 Min Read
38 0

A new clipboard hijacker is quietly draining cryptocurrency from gamers and streamers by abusing trust inside Discord communities.

The campaign centers on a malicious Windows program shared as a supposed streaming or security tool. Once installed, it silently watches the user’s clipboard, waiting for the moment they copy a crypto wallet address.

When the victim pastes it into an exchange, wallet, or payment field, the malware swaps it with an attacker-controlled address, redirecting the funds without leaving obvious traces.

The threat actor, tracked as “RedLineCyber,” focuses on Discord servers linked to gaming, gambling, and cryptocurrency streaming.

They build rapport with server members, present themselves as tool developers, and privately share a file named Pro.exe or peeek.exe.

Victims are told the tool will help them manage or protect their wallet addresses during live sessions, making it appear useful rather than suspicious.

Behind this friendly pitch is a focused theft operation that can quietly empty transactions in a single mistyped paste.

CloudSEK analysts uncovered this operation while monitoring underground communities and Discord channels used by cybercriminals.

During these human intelligence operations, researchers identified the fake “RedLine Solutions” persona and traced the malware back to a Python-based executable packed with PyInstaller.

Their analysis confirmed that the program does not behave like classic information-stealing malware, but instead narrows its activity to one task: manipulating clipboard data linked to popular cryptocurrencies.

Redline Solution (Source – CloudSEK)

The impact of this campaign is significant because it targets users at the exact point where human attention is weakest. Many streamers and frequent traders copy and paste long wallet strings without double-checking every character.

By operating without command-and-control traffic and using minimal system resources, the malware can remain active for long periods, waiting for high-value transfers.

Blockchain traces linked to the attacker’s embedded wallet addresses already show stolen funds across Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron.

Infection Mechanism and Clipboard Hijacking Logic

Once a victim launches Pro.exe, the malware creates a folder named CryptoClipboardGuard inside the Windows %APPDATA% directory and registers itself in the Run key of the current user’s registry.

This ensures it starts automatically whenever the system boots, persisting in the background without any visible window.

The executable bundles its own Python runtime and obfuscated bytecode, enabling it to run even on systems without Python installed.

It then enters a tight loop, checking the clipboard roughly three times per second.

PyInstaller (Source - CloudSEK)
PyInstaller (Source – CloudSEK)

Every time the clipboard content changes, the malware scans it against base64-encoded regular expressions that match wallet formats for major cryptocurrencies.

If it detects a valid address, it immediately overwrites the clipboard with a preset attacker wallet for that coin and records the swap in an activity.log file within %APPDATA%CryptoClipboardGuard.

Cryptocurrency Address Detection (Source - CloudSEK)
Cryptocurrency Address Detection (Source – CloudSEK)

Because the address change happens between copy and paste, most victims never notice the replacement until their funds arrive in the wrong wallet — and by then, the transfer is irreversible.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges

Next Post

VoidLink Rewrites Rootkit Playbook with Server-Side Kernel Compilation and AI-Assisted Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us