While HackBoss is uniquely targeted at hackers attempting to download tools to carry out their own cybercrimes, most other clippers are targeted at ordinary cryptocurrency users. It's extremely difficult to know if one has fallen victim to a clipper until a transaction has been hijacked given how long and complex cryptocurrency addresses are most people don't read through the recipient's entire address between pasting it into their wallet and sending a transaction. However, that may be necessary for users trying to be as careful as possible. At the very least, cryptocurrency users need to be vigilant about what links they click and programs they download, as there are several active malware strains not just clippers, but others too attempting to steal their funds. Case study: Glupteba botnet hijacks computers to mine Monero and harnesses the Bitcoin blockchain to evade shutdown

A complaint filed by Google in late 2021 named multiple Russian nationals and entities alleged to be responsible for operating the Glupteba botnet, which has compromised over 1 million machines. Glupteba's operators have used these machines for several criminal schemes, including utilizing their computing power to mine cryptocurrency specifically, in this case, Monero in a practice known as cryptojacking. Perhaps most notable is Glupteba's use of the Bitcoin blockchain to withstand attempts to take it offline, encoding updated command-and-control servers (C2) into the Op_Returns of Bitcoin transactions. Google used Chainalysis software and Chainalysis Investigative Services to analyze the Bitcoin addresses and transactions responsible for sending updated C2 instructions. Below, we'll break down how the Glupteba botnet uses the Bitcoin blockchain to defend itself and what it means for cybersecurity and law enforcement.

A primer on the Glupteba botnet The cybercriminals behind the Glupteba botnet have used it to carry out a variety of criminal schemes. In addition to cryptojacking, the botnet has been used to acquire and sell Google account information stolen from infected machines, commit digital advertising fraud, and sell stolen credit card data. Google was able to identify the individuals named in the complaint by obtaining and examining an IP address used by one of Glupteba's C2 servers. All individuals were also

MALWARE THE 2022 CRYPTO CRIME REPORT 64 listed as owners or administrators of shell companies connected to Glupteba-related crimes, such as one used to sell fraudulent digital advertising impressions supplied by the botnet. Google was able to successfully take down the current C2 server, however as Glupteba has proven to be infallible against these actions through it's blockchain failsafe, we will soon see a new C2 assigned. How Glupteba weaponizes the blockchain In order to direct botnets, cybercriminals rely on command-and-control (C2) servers, which allow them to send commands to machines infected with malware. Botnets look for domain addresses controlled by their C2 servers in order to receive instructions, with directions on where to look for those domain addresses hard coded into the malware itself.