MistTrack recently revealed a new threat in the crypto space that steals funds from users’ wallets that comes in the form of a hijacking exploit found within a printer driver.
In a recent post, the cybersecurity arm of SlowMist raised awareness regarding a fairly new, yet hard to detect, threat entering the crypto space. Through an installed printer driver, a malicious backdoor program is able to hijack users’ clipboard and replace their copied crypto wallet address with that of the attacker’s.
“The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address,” wrote the web3 cybersecurity platform.
According to on-chain data from MistTrack, the attacker has stolen at least 9.3086 Bitcoin (BTC) from dozens of on-chain addresses. Based on current prices, the stolen funds amount to nearly $1 million or around $989,383.
The crypto wallet address has been active since April 22, 2016. Before its recent activities, its last detected on-chain transaction was in March 14, 2024 and is linked to multiple crypto exchanges.
How does the exploit work?
Cases of hidden malware exploits, like the one highlighted by MistTrack, occur as a result of attackers distributing malicious code through programs that need to be installed into the user’s hardware, such as a laptop, computer or mobile device. In this case, the attacker inserted the backdoor program through a printer driver that appears legitimate.
Once installed, the driver monitors the user’s clipboard—the temporary storage area where copied data is held— in search of a cryptocurrency wallet addresses. If the user copies what appears to be a crypto wallet address in order to send funds, the malware instead replaces it with the attacker’s crypto wallet address.
When the user pastes what it believes to be the original crypto wallet address from the clipboard and they fail to notice the hijacked change, the funds are then sent to the attacker’s wallet instead of the intended recipient.
A similar exploit was highlighted by CyberArk back in March 2025, which involved a malware called MassJacker. The malware enabled the attacker to access the user’s clipboard to alter the original crypto wallet address and redirect cryptocurrency transactions to attacker-controlled wallets, effectively stealing funds from the victim’s wallet.
Unlike the printer driver exploit, MassJacker used more than 750,000 unique addresses instead of a recurring one. The malware was able to infiltrate user’s hardware through pirated and cracked software downloaded from unofficial websites.
