Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Pastebin ClickFix JavaScript crypto swap hijacking campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

The Pastebin-driven ClickFix-style campaign is tricking cryptocurrency users into running malicious JavaScript in their browser and hijacking Bitcoin swap transactions. The lure poses as a Swapzone.io arbitrage exploit, but the code changes the swap process inside the victim session. The activity appears widespread, with recurring comments and pages showing 1 to 5 active viewers. The result is direct theft to attacker-controlled Bitcoin wallets and little practical recovery after the transfer.

Related Happenings

UNC1069 GhostCall cryptocurrency social-engineering campaign

Campaign
First: 11.02.2026 08:50 Last: 11.02.2026 08:50 Sources 1

About this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...

Open Happening

BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms

Campaign
First: 11.02.2026 00:17 Last: 11.02.2026 00:17 Sources 1

About this happening: **BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...

Open Happening

UNC1069 seven-family macOS malware deployment

Malware Activity
First: 11.02.2026 00:17 Last: 11.02.2026 00:17 Sources 1

About this happening: A **UNC1069** malware activity track now includes the **Axios npm supply-chain compromise** after Google attributed the attack to the suspected **North Korean** cluster. Attackers...

Open Happening

Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints

Campaign
First: 28.01.2026 15:15 Last: 28.01.2026 15:15 Sources 1

About this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...

Latest development: 29.01.2026 20:37

Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).

Open Happening

YouTubeTA StealC malware campaign against cracked-Adobe seekers in 2025

Campaign
First: 16.01.2026 23:00 Last: 16.01.2026 23:00 Sources 1

About this happening: The **YouTubeTA** operation ran **malware campaigns throughout 2025**, turning **cracked Adobe Photoshop and Adobe After Effects** searches into a large-scale **credential theft**...

Open Happening

Timeline

  1. 15.02.2026 17:17 2 articles · 3mo ago

    Pastebin ClickFix crypto swap hijacking campaign

    Initial Disclosure

    Threat actors used Pastebin comments and a Google Docs lure to promote a fake Swapzone.io arbitrage method that instructed cryptocurrency users to paste and execute JavaScript in the browser address bar. The malicious code loaded a secondary payload from https://rawtext[.]host/raw?btulo3, overrode the legitimate Next.js swap interface on Swapzone.io, replaced the deposit address with attacker-controlled Bitcoin wallets, and altered displayed rates and offer values to make the swap appear profitable.

    Show sources
    Open in new tab