Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser, allowing attackers to hijack Bitcoin swap transactions and redirect funds to attacker-controlled wallets.
The campaign relies on social engineering that promises large profits from a supposed Swapzone.io arbitrage exploit, but instead runs malicious code that modifies the swap process directly within the victim's browser.
It could also be the first known ClickFix attack to use JavaScript to alter a webpage's functionality for a malicious purpose.
Promoted through Pastebin
In the campaign spotted by BleepingComputer, threat actors are iterating through Pastebin posts and leaving comments that promote an alleged cryptocurrency exploit, with a link to a URL on rawtext[.]host.
The campaign is widespread, with many of our posts receiving comments over the past week claiming to be "leaked exploit documentation" that allows users to earn $13,000 in 2 days.
Phishing comment on Pastebin
Source: BleepingComputer
The link in the comment redirects to a Google Docs page titled "Swapzone.io – ChangeNOW Profit Method," which claims to be a guide describing a method to exploit arbitrage opportunities for higher payouts.
"ChangeNOW still has an older backend node connected to the Swapzone partner API. On direct ChangeNOW, this node is no longer used for public swaps," reads the fake guide.
... continue reading