Lithuanian Hacker Extradited to South Korea After $1.8M Crypto Theft via KMSAuto Malware

Published: 2025-12-28 19:12:47 |

South Korea extradited a 29-year-old Lithuanian national accused of stealing about 1.7 billion won (~$1.8M) in cryptocurrency using KMSAuto, a malicious Windows activation tool. The National Office of Investigation (NOI) concluded a five-year, multi-country probe that found the malware — downloaded more than 2 million times between 2020 and 2023 — performed real-time memory/clipboard manipulation to swap destination wallet addresses during transactions. Investigators say the campaign compromised over 3,100 addresses worldwide and successfully intercepted roughly 840 transactions, netting the attacker ~1.7 billion won; eight South Korean victims reported combined losses of about 16 million won. The inquiry began after an August 2020 complaint about a stolen bitcoin. Law enforcement traced funds through exchanges in six countries, seized 22 devices from the suspect’s residence, worked with Lithuanian authorities, issued an Interpol red notice, and arrested him in Georgia before extradition to Korea. Authorities warned users to avoid unlicensed software, verify wallet addresses before sending funds, and be aware of wallet‑swapping malware. For crypto traders: the case highlights continued risk from address‑hijacking malware targeting users of pirated or third‑party tools, the importance of address verification practices (hardware wallets, address whitelisting, copy‑paste checks), and that coordinated cross‑border enforcement can recover leads and disrupt persistent malware campaigns.

Bearish

The theft involved wallet‑swapping malware that intercepted cryptocurrencies during transfers. This type of crime directly undermines user confidence in on‑chain transfers and custodial practices, which can reduce short‑term demand and increase sell pressure for the affected assets. The stolen funds (~$1.8M) are modest relative to overall market caps, so the direct price impact on major cryptocurrencies (e.g., BTC) should be limited and short‑lived. However, the broader market impact is negative: traders may reduce on‑chain activity, move funds into cold/hardware wallets, or delay transactions until they adopt stronger address‑verification practices. In the short term expect elevated caution, potential temporary volatility for smaller tokens associated with victims, and increased trading of stablecoins as funds are cycled off exchanges. In the longer term, enforcement actions and recovered leads can restore some confidence, and heightened security awareness (use of hardware wallets, whitelists, and audited software) may reduce recurrence. Overall, the immediate sentiment effect is bearish but unlikely to materially shift prices of major cryptocurrencies.