Based on reporting by The Hacker News →
Introduction
A sophisticated threat actor is now weaponizing the very tools of online trust—legitimate news site ads, fake product reviews, and even VirusTotal comments—to distribute cryptocurrency-stealing malware. This campaign highlights how attackers are turning public, trusted platforms into attack vectors.
The problem
According to new findings from Check Point Research, reported by The Hacker News, an unknown threat actor is running a crypto clipper campaign that uses paid or promoted posts on legitimate news websites as a primary lure. The operation also relies on a dedicated WordPress phishing page as a central hub, alongside fake accounts promoting projects on GitHub and SourceForge, a YouTube channel, and the injection of malicious comments into VirusTotal entries to drive traffic.
Consequences
Victims who fall for this multi-platform campaign risk having their cryptocurrency transactions hijacked. A clipper malware replaces a victim’s copied wallet address with the attacker’s address, diverting funds directly to the threat actor. The use of fake reviews and AI-generated narrators makes the scam harder to distinguish from legitimate software downloads, increasing the likelihood of infection among both casual and professional crypto users.
Causes
The campaign succeeds because threat actors exploit the inherent trust users place in established platforms: paid ads on news sites carry editorial credibility, GitHub and SourceForge are seen as legitimate software repositories, and VirusTotal comments are typically viewed as a security resource. The actor also leverages fake user engagement (reviews, comments, YouTube videos) to create a social proof halo—a technique that preys on users' habit of verifying a download’s legitimacy through multiple sources.