Threat actors are abusing Pastebin comments to lure cryptocurrency users into executing malicious JavaScript that hijacks Bitcoin swap transactions and redirects funds to attacker-controlled wallets. Promoted via Pastebin and a fake Google Doc promising Swapzone.io arbitrage gains, this ClickFix-style campaign injects obfuscated scripts into the Swapzone page to replace deposit addresses and manipulate rates, making theft effectively irreversible. #ClickFix #Swapzone
Keypoints
- Attackers post Pastebin comments linking to a fake Swapzone exploit hosted on rawtext.host and Google Docs.
- Victims are instructed to paste javascript: code into the browser address bar to execute a malicious payload on Swapzone.io.
- The injected script overrides Swapzoneβs Next.js swap handler and replaces legitimate deposit addresses with attacker-controlled Bitcoin wallets.
- The campaign also alters displayed exchange rates and offer values to convince victims the alleged arbitrage is working.
- Because Bitcoin transactions are irreversible, funds sent to attacker wallets are unlikely to be recovered.