Cybersecurity firm 360 Total Security has reportedly discovered a new cryptocurrency-related malware that hijacks users’ clipboards to replace copied bitcoin and ethereum addresses, in an attempt to steal funds.

According to 360 Total Security the malware, dubbed ClipboardWalletHijacker, monitors victims’ clipboard activity to detect if it contains a cryptocurrency address. When it finds one, it merely replaces it with that of its owner. The firm wrote:

“The Trojan monitors clipboard activity to detect if the activity contains the account address of Bitcoin (BTC) and Ethereum (ETH). It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojan has been detected on more than 300,000 computers within a week.”

360 Total Security

The cybersecurity firm identified an ETH address associated with the scam. At press time, said address has over $1,500 worth of tokens in it, and has recently moved over $6,500 worth of ETH to various other addresses.

Per the firm, the malware seemingly makes ETH addresses its primary target, as it firsts looks for these, and only then checks if the user has copied a bitcoin address onto its clipboard. Three BTC addresses belonging to ClipboardWalletHijacker’s owner(s) have been identified, with the largest one currently holding 0.0898 BTC ($580) in it.

Reports suggest the malware looks for ETH addresses by first identifying a “0x” string, and then looking for the correct number of characters. Similarly, it identifies BTC addresses by looking at clipboard content that starts with “1” or “3” and has a specific number of characters.

The malware’s campaign comes shortly after cybersecurity firm Carbon Black revealed that cybercriminals have stolen over $1.1 billion worth of cryptocurrency this year, with moves that purportedly weren’t too hard to pull off.

Last year, a malware known as CryptoShuffler netted hackers over $150,000 using a similar scheme, before it started being widely reported on. To stay safe, users should “enable antivirus software while installing new applications,” according to 360 Total Security. Before transacting, recipient addresses should be carefully checked.