Check Point Exposes Crypto Clipper Backed by AI-Built Reputation

The interesting part of Check Point Research's findings isn't the payload; it's the marketing department. A single threat actor distributing a Rust-based cryptocurrency clipboard hijacker ran what amounted to a full software-vendor brand: a YouTube channel with over 91,000 subscribers running AI-generated tutorial videos, coordinated five-star reviews across distribution platforms, and an Android device farm suspected of inflating SourceForge download counts to 44,485.

The infrastructure stretched across at least six GitHub accounts cross-promoting the same payloads, with one repository accumulating 146 stars and 62 forks. The campaign also operated coordinated VirusTotal accounts using what Check Point calls "Ghost Networks," seeding upvotes and positive comments specifically to reduce suspicion at the point where a security-conscious user would do a quick check before installing.

The press release angle is where the operation gets genuinely difficult to flag. The campaign distributed promotional content via EIN Presswire, which syndicated it across USA TODAY Network partner publications including Clarion Ledger, MetroWest Daily News, National Law Review, and Commercial Appeal. That is not a signal most users think to distrust.

The payload itself is a clipboard hijacker targeting Windows and macOS users searching for Solana and Pump.fun sniper bots. It monitors clipboard contents for cryptocurrency wallet address patterns and silently substitutes attacker-controlled addresses before a transaction confirms, a technique that requires no further user interaction and leaves most victims unaware of when the substitution happened.

What the reporting doesn't give you is any victim count or estimate of funds stolen; Check Point's analysis focuses on the infrastructure rather than downstream financial losses. Check Point does warn explicitly that "the same playbook of fake reputation and aggressive cross-platform promotion can easily distribute information stealers or ransomware to higher-value targets over time." For security teams, the lesson is that subscriber counts, star counts, download numbers, and VirusTotal scores now belong on the list of signals an attacker can manufacture from scratch.