Cyren, an Israeli cybersecurity and software company, has revealed a type of malware that has been stealing user funds and the passwords of Bitcoin wallets from PC users.

In a blog post, Avi Turiel, Cyren’s director, warned web-based Bitcoin wallet platform users to look out for keylogger malware which is delivered in the form of a PDF file or other types of application in a phishing email sent by a network of bots stemming from the US and Singapore.

Commonly, the keylogger is sent out by bots to PC users worldwide in email attachments. Although the content of the email varies based on the targeted individual, bots usually send out emails related to financial notifications such as a payment notification, payment update or a confirmation email.

How it utilizes PDF

Users often fall victim to these phishing attacks primarily due to the type of attachment sent with the email. PDF files are normally sent out by financial service providers or banks to provide their clients with a complete review of their accounts. Most payment details or invoices are also sent in a PDF file and thus users aren’t skeptical towards downloading PDF files in emails.

Scammers and malware distributors also utilize actual company letters or email formats to ensure users struggle to differentiate a phishing email from an original company email. Domains used by malware distributors are also nearly identical to the actual domain of the company. If is taken as an example, malware distributors acquire similar domains such as or to trick users into clicking fraudulent links or files that lead to the automatic installation of keylogger malware.

Upon the installation of the keylogger, an executable file runs in the background like a normal PC application. The file itself is usually located in the AppData\Local\Temp\subfolder, where most temporary files are located.

If the keylogger successfully penetrates a computer, installs itself and begins to run in the background, it searches for cryptocurrency applications by using keywords. Apart from Bitcoin, it also searches for altcoins like Litecoin and Namecoin in an attempt to steal passwords from the maximum number of cryptocurrency applications run on the computer.

There exists hundreds of keyloggers and fraudulent applications which target Bitcoin applications and financial platforms. To eliminate the possibility of keyloggers affecting cryptocurrency applications or Bitcoin wallets to be specific, users must try to address all security measures and protocols offered by the service provider. 2FA must be enabled, a PIN should be used for outgoing Bitcoin transactions and regular antivirus scans are mandatory in order to delete keyloggers if ever installed on a computer.