A single online persona has built an entire fake-popularity machine to spread a cryptocurrency "clipboard hijacker," malware that quietly rewrites the wallet address you copy so any crypto payment you make lands in the attacker's account instead. The most striking part is not the malware itself but the distribution operation behind it, a coordinated web of bogus accounts engineered to make dangerous software look trusted, according to the original report from Check Point Research, published June 17, 2026.
A clipboard hijacker (also called a clipper) sits silently in the background and watches what you copy. When it spots text that looks like a crypto wallet address, it swaps that address for one the attacker controls. Because wallet addresses are long and unreadable, victims rarely notice the substitution before hitting send. The same swap-on-paste trick recently surfaced in a fake BlueWallet macOS stealer.
While the inflated GitHub stars and reviews are aimed partly at developers browsing for code, the people actually infected are anyone hunting for free crypto trading bots or game cheats, so the blast radius is broad.
How it works
Check Point describes a clipper written in Rust, with two variants. The Windows version arrives as a .NET loader (a small program that launches another) which runs the real Rust payload, while the macOS version is a native Rust executable. The Windows build embeds a list of more than 15,500 attacker wallet addresses to swap in, roughly 15,000 of them across the common Bitcoin address formats, about 500 Ethereum, plus single addresses for Bitcoin Cash, Monero, Dogecoin, Cardano, Litecoin and others. Important caveat, those are address counts, not stolen coin balances, and Check Point gives no dollar figure for the losses.
The infection requires the victim to act. Researchers say people download a ZIP file and manually run the trojanized tool, for example a file named SniperBot_Premium(Free)[.]exe. On Windows the malware copies itself into a hidden folder under the user profile and adds a Startup-folder shortcut so it relaunches at login. On macOS it installs a LaunchAgent (a macOS auto-start entry) that reruns it on a 30-second watchdog loop.
The fake-trust machine
The lures pose as crypto and gaming utilities, such as Solana and Pump.fun sniper bots, crypto-exchange trading bots, and an "Aviator Predictor" for crash games. To make them look legitimate, Check Point says the actor runs "Ghost Networks," clusters of fake or low-quality accounts that repeatedly promote the tools and inflate engagement. The numbers tell the story. SourceForge reported 44,485 downloads, of which 37,460 were attributed to Android devices, a figure Check Point flags as highly suspicious because no Android build exists. One GitHub repository showed 146 stars and 62 forks, and the network spans at least six GitHub accounts plus a WordPress hub, SourceForge, AI-narrated YouTube videos, BitcoinTalk threads, and seeded positive votes on VirusTotal. Treat all of these figures as evidence of manipulation, not genuine popularity. This mirrors an earlier Check Point report on a fake-software distribution ecosystem.
Who is affected
Anyone hunting for free crypto trading bots, game "predictors," or cracked tools is the target. Check Point ties the activity to a single persona using the handle @JoseCmanXD, active on a hacking forum since 2019, but it makes no nation-state or named-group attribution and uses hedged language throughout. Do not read it as a confirmed identity.
What you should do
Distrust inflated reputation signals. Stars, forks, download counts, YouTube views, and VirusTotal upvotes can all be faked, so do not treat them as proof that software is safe. Never run "sniper bot" or "predictor" tools downloaded from forums, link aggregators, or random repositories. Always verify a crypto wallet address character by character before sending, since clippers rely on you not checking. Check Point published 14 SHA-256 hashes (unique file fingerprints that security teams can use to detect and block the malware) as indicators, including 5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61. The campaign's reliance on a trusted code platform echoes GitHub Pages abuse for bank phishing.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.