Mastermind Hacker Busted for Massive KMSAuto Malware Distribution

Hacker Arrested for KMSAuto Malware Campaign with 2.8 Million Downloads

A suspect, a Lithuanian national, has been apprehended for his suspected involvement in infecting 2.8 million systems with malware that stole data from clipboards. The malware was disguised as the KMSAuto tool, which was used for illicitly activating Windows and Office software.

After a request from Interpol, the 29-year-old individual was extradited from Georgia to South Korea to face charges related to the malware campaign.

The Korean National Police Agency revealed that the suspect utilized KMSAuto as a bait to entice victims into downloading a malicious executable that would scan their clipboards for cryptocurrency addresses. This malware, known as ‘clipper malware,’ would then replace the addresses with ones controlled by the attacker.

The suspect inserted malware into the KMSAuto tool to monitor clipboard contents for cryptocurrency addresses and modify the destination address to one controlled by the attacker, a tactic known as clipper malware.

The police stated, “From April 2020 to January 2023, the hacker distributed 2.8 million copies worldwide of malware disguised as an illegal Windows license activation program (KMSAuto).” This distribution resulted in the theft of virtual assets worth approximately KRW 1.7 billion ($1.2 million) from 8,400 transactions involving 3,100 virtual asset addresses.

The investigation into the cybercrime commenced in August 2020 after a report of cryptojacking, where the victim’s system was infected with clipper malware, diverting payments to the attacker by changing the intended recipient’s wallet address.

The investigation uncovered that the malware infection stemmed from the KMSAuto tool. The clipper malware targeted at least six cryptocurrency exchanges, according to the investigators.

In December 2024, a raid in Lithuania resulted in the confiscation of 22 items, including laptops and mobile phones, after tracing the stolen amounts and identifying the perpetrator.

Examination of the seized items revealed incriminating evidence, leading to the arrest of the hacker in April 2025 while he was en route from Lithuania to Georgia.

The South Korean police advise against using illegal software that violates copyright, as such tools can introduce malware into the system.

It is crucial to avoid using unofficial software product activators and Windows executables that lack digital signatures and whose source or integrity cannot be verified.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.

Get the guide