Lithuanian hacker don comot $1.8M crypto with KMSAuto malware, dem extradite am go South Korea

South Korea don send go back one 29-year-old Lithuanian wey dem accuse say im jandot about 1.7 billion won (~$1.8M) crypto using KMSAuto, one bad Windows activation tool. National Office of Investigation (NOI) don finish five-year, many-country investigation wey find say the malware — wey people don download pass 2 million times between 2020 and 2023 — dey do real-time memory/clipboard manipulation to change destination wallet addresses during transaction. Investigators talk say the campaign don compromise over 3,100 addresses worldwide and intercept about 840 transactions, make the attacker about 1.7 billion won; eight victims for South Korea report say dem lose combined about 16 million won. Inquiry start after one complaint for August 2020 about one stolen bitcoin. Law enforcement trace funds through exchanges for six countries, seize 22 devices from the suspect house, work with Lithuanian authorities, issue Interpol red notice, and arrest am for Georgia before dem extradite am to Korea. Authorities advise users make dem no use unlicensed software, verify wallet addresses before them send funds, and watch for wallet‑swapping malware. For crypto traders: the case show say risk still dey from address‑hijacking malware wey dey target users of pirated or third‑party tools, the need for address verification (hardware wallets, address whitelisting, copy‑paste checks), and say coordinated cross‑border enforcement fit recover leads and disrupt persistent malware campaigns.