ACCORDING to DarkReading, a fraudulent reputation-building campaign has unleashed a Rust-based clipboard hijacker that steals cryptocurrency by swapping wallet addresses copied to the clipboard. The operation spreads through forged GitHub stars, AI-generated YouTube videos and bogus comments on VirusTotal, tricking users into downloading what appears to be a legitimate trading tool. Researchers say the scheme primarily targets Windows and macOS users seeking quick gains in digital assets.
According to Check Point research, the hijacker is written in Rust, a language chosen for its speed and low visibility to many security scanners. Once executed it monitors the clipboard for strings that match known cryptocurrency address formats and instantly replaces them with an address controlled by the attacker. The malware also creates a persistent launcher in the user’s startup folder or launch agents, ensuring it survives reboots and continues to monitor clipboard activity.
Infosecurity Magazine notes that the malware is hosted on a phishing site that masquerades as a repository for crypto-utility applications. The site pulls in fake engagement metrics, including manufactured GitHub stars and synthetic YouTube videos that praise the tool’s performance. Additionally, threat actors flood VirusTotal comment sections with positive feedback generated by AI, further bolstering the illusion of legitimacy and encouraging downloads from unsuspecting victims.
The campaign was first seen in mid-June 2026 and remained active through late June, with thousands of clipboard alterations recorded in telemetry from security products. No CVE identifier has been assigned to the behaviour, and the threat actors behind the operation have not been publicly attributed. Investigators note the use of ghost networks, clusters of fake accounts that coordinate likes, comments and stars, to fabricate credibility across multiple platforms.
The incident illustrates how attackers are increasingly relying on social proof rather than technical exploits to deliver malicious code. By fabricating popularity signals they lower the psychological barrier for users who might otherwise scrutinise an unknown download. Security experts warn that this trend threatens the trust model of open-source repositories and video platforms, making reputation manipulation a potent weapon in the crypto-theft arsenal.
Users should verify the authenticity of any software before installation, checking for valid signatures and examining the reputation of the publisher through independent channels. Keeping endpoint protection up to date helps detect known Rust-based hijackers, while monitoring clipboard changes can alert to unexpected address swaps. For cryptocurrency holders, using hardware wallets that require manual confirmation of transactions adds a strong defence against clipboard-based theft. Educating staff and personal contacts about the dangers of reputation-driven lures reduces the chance of falling for such schemes.