Pastebin Comments Spread ClickFix JavaScript Attack to Steal Crypto Swaps

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Crooks use Pastebin comments to push ClickFix scams targeting crypto users. Fake “Swapzone.io arbitrage exploits” trick victims into running JavaScript in browser address bars. Code hijacks Bitcoin swaps by swapping deposit addresses to attacker wallets.

Campaign promises $13,000 profits in 2 days via “leaked” guides. Comments link to Google Docs with fake ChangeNOW backend exploits. Victims visit paste.sh, copy obfuscated JS, then type “javascript:” + code on Swapzone.io and hit Enter.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Script pulls secondary payload from rawtext.host. Obfuscated code overrides Next.js swap logic. Attackers replace legit deposit addresses randomly. Victims see normal rates but send to thief-controlled BTC wallets.

First known ClickFix using browser JS instead of OS commands. No malware install needed. Transactions irreversible once confirmed.

Pastebin spam hits many posts weekly. Google Docs show 1-5 viewers live. Attackers rotate domains fast.

Attack Flow Table

StepVictim ActionAttacker Gain
1Reads Pastebin commentLure exposure
2Opens Google Docs guideFake exploit claim
3Copies JS from paste.shPayload ready
4Runs javascript: on SwapzoneAddress swap
5Completes BTC swapFunds stolen

Technical Breakdown

Script loads from rawtext.host/raw?btulo3. Heavily obfuscated Next.js override. Random BTC address selection from embedded list. Modifies displayed rates for realism. Executes in Swapzone session context.

No server-side detection possible. Browser-only attack. Victims copy wrong address unaware.

Campaign Scale

Hundreds of Pastebin comments weekly. Multiple Google Docs rotate. rawtext.host/paste.sh infrastructure. Likely ties to prior ClickFix like CrashFix, FileFix.

Crypto users prime targets. High-value BTC swaps maximize profit.

Protection Measures

  • Ignore Pastebin crypto tips.
  • Verify addresses twice before sending.
  • Use hardware wallets for swaps.
  • Disable JS URI execution via policies.
  • Check browser dev tools during swaps.

DefenseMethodCoverage
Browser PolicyBlock javascript: URIsEnterprise
Wallet CheckManual address verifyAll users
VPN + MonitoringTraffic inspectionAdvanced
TrainingSpot social engineeringEssential

Related Threats

ClickFix family: CrashFix (browser crash), FileFix, JackFix, ConsentFix. All trick command execution. JS variant new escalation.

FAQ

How does Pastebin ClickFix steal crypto?

JS in browser swaps deposit addresses on Swapzone.

What does victim see?

Normal interface with fake profitable rates.

Irreversible damage?

Yes, Bitcoin transactions final.

First JS-based ClickFix?

Yes, targets browser not OS.

Block javascript: protocol?

Use GPO or extensions in enterprise.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages