Crypto Clipper Campaign Exploits Fake Reviews, AI Narrators, and VirusTotal Comments

Crypto Clipper Campaign Leverages Fake Reviews to Amplify Malware Distribution

An unidentified threat actor is buying promoted slots on reputable news sites to seed hype for pirated software, according to Reuters. The operation runs through a purpose‑built WordPress phishing hub that aggregates links to GitHub and SourceForge repos masquerading as legitimate projects. Fake accounts populate a YouTube channel with AI‑generated narrations that praise the illicit warez, while comment sections on VirusTotal are flooded with scripted endorsements. Researchers at Check Point observed that the campaign also injects ↑ 10% more traffic into the phishing page each week, raising the risk of credential harvest.

“The blend of SEO manipulation and AI‑driven persuasion marks a new tier of cyber‑crime,” said a senior analyst.

Additional scrutiny from Bloomberg highlights that the actor’s network spans multiple continents, using compromised domains to evade takedown. Victims are lured into downloading trojanized binaries that install clipboard‑monitoring malware, commonly dubbed “Crypto Clipper.” The malicious code silently replaces cryptocurrency wallet addresses, siphoning funds to wallets controlled by the group. Security teams are urged to monitor for anomalous comment patterns on security forums and to harden WordPress installations against unauthorized plugins.

Intel provided by: Kaelen Frost

Lead Cybersecurity Analyst