A Lithuanian national has been extradited to South Korea to face charges related to a cryptocurrency theft scheme carried out using malware disguised as legitimate software. South Korean authorities said the suspect distributed malicious code through altered versions of KMSAuto, a tool commonly used to activate Microsoft Windows without a license.
According to investigators, the malware was embedded in KMSAuto downloads and spread to computers in multiple countries over several years. The infected files were shared online and downloaded millions of times, allowing the malware to reach a wide range of victims, including users in South Korea.
Once installed, the malware monitored clipboard activity on infected systems. When a user copied a cryptocurrency wallet address to make a transfer, the malware replaced it with a wallet address controlled by the attacker. This caused funds to be sent to the attacker instead of the intended recipient without obvious signs of interference during the transaction process.
South Korean police said the operation resulted in thousands of compromised wallet addresses and hundreds of intercepted transactions. The total value of the stolen cryptocurrency was estimated at about 1.7 billion won. Authorities said several South Korean victims reported losses, prompting the initial investigation.
The case began in 2020 after a cryptocurrency user reported that funds had been diverted to an unknown wallet. Investigators traced the transaction and identified the clipboard replacement technique, eventually linking the activity to malicious versions of the KMSAuto software.
Law enforcement agencies in several countries cooperated during the investigation. South Korean authorities issued an international arrest request, and the suspect was later detained in Georgia while attempting to enter the country. Lithuanian police assisted in searching the suspect’s residence and seizing electronic devices believed to be connected to the case.
Following legal proceedings, Georgian authorities approved the extradition to South Korea, where the suspect now faces prosecution under laws covering cybercrime and virtual asset theft. South Korean police said the case highlighted the importance of international cooperation in addressing crimes that cross national borders.
Authorities said the incident demonstrated the risks associated with downloading unofficial software from unverified sources. By disguising malware as a commonly used activation tool, the attacker was able to exploit user trust and intercept financial transactions with limited visibility.
South Korean investigators advised cryptocurrency users to carefully verify wallet addresses before completing transfers and to avoid installing software from unofficial distribution channels. They said the case underscored how malware targeting everyday user behaviour can result in financial losses without exploiting vulnerabilities in cryptocurrency networks themselves.