Hacking Feb 24, 2020

Hackers Steal Crypto by Impersonating Top VPN Service

Hackers Steal Crypto by Impersonating Top VPN Service

By now, it’s common knowledge that Virtual Private Networks (VPNs) have become a must-have tool in daily safe browsing. As the number of VPN-centric users increase across the world, cybercriminals have adapted to this shift by impersonating otherwise genuine VPN services in order to spread malicious software to realize financial gains.

In latest reports, a team of researchers from Kaspersky have lifted the lid on a new malicious campaign that targets users’ cryptocurrency by impersonating a top VPN service’s site.

Specifically, it has been revealed that the cybercriminals established a copy of ProtonVPN’s website – which happens to be an exact replica of the VPN service’s genuine site, save for its different domain name. The researchers discovered that the campaign aims to propagate the Trojan stealer AZORult – which works by duping users into believing that they are downloading a Windows Installer.


AZORult has been identified to among the most popular stealers across Russian cybercriminal forums owing to its high level of versatility. This tool is a Trojan that poses significant threats to infected systems. This aspect is owed to the fact that the tool enables an attacker to harvest a host of user data including browser history, login details, folders and files belonging to cryptocurrency wallets. Importantly, AZORult is known to provide the capability of tricking users into downloading other malware.

How the Campaign Works

The fake VPN site is propagated through malvertising, the practice of advertising the website through links that are sent across various banner networks. Once a target visits the phishing website, they are asked to download a free VPN installer.

In this regard, once this step is taken, a copy of the AZORult botnet is implanted into their system. The activation of this implant helps hackers to harvest syetm information regarding its immediate environment, thereby relaying the data back to a server controlled by the cybercriminals.

It is at this point that hackers are able to steal any crypto that is stored in the affected system – accessing virtual coins stored in user cryptowallets, FTP logins, and various other forms of online credentials, browser data and other software.

It is reported that once the discovery was made, Kaspersky alerted ProtonVPN and took measures to eliminate the fake site in its portfolio. In response, the CEO of Proton VPN Andy Yen gave assurance about the company’s response to the malicious campaign.

In his statement, Yen warned users against the practice of downloading applications from unverified sources. It is important for users to cross check website addresses before making any downloads. In addition, verifying app developers goes a long way to ascertain the credibility of downloadable applications.

ProtonVPN asked for the takedown of the fake domain to mitigate any further damage that would be caused by the AZORult campaign and went ahead to publish a user guide that would advise prospective clients on online safety within the context of fake apps.

A Rise in Cases Involving Password-Stealing Software

According to a study conducted by Kaspersky, there has been a significant rise in the number of victims affected by password-stealing malware from 600,000 in 2018 to 940, 000 users in 2019.

By definition, Password-Stealing Ware (PSW) is any malicious tool that bears a capability to harvest data directly from a target’s internet browser through various ways. The information targeted by PSW is mostly sensitive in nature, including online credentials and financial card data. In addition, some variations of PSW are created to harvest browser cookies, user desktop files, and information from regular messaging tools.

Join the discussion here


Dear Guests and Freinds !

Remember that Tape Project is NOT responsible for other forums and markets!

Tape is NOT responsible for sites which buy advertising from us!

We are NOT responsilbe for vendor's and admin's actions from other sites!