HOMETHREATSCoinThief
APT / THREAT GROUP

CoinThief

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources:

- on Github (where the trojanized compiled binary didn’t match the displayed source code), o

- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and

- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer:

- collect information about the infected computer

- execute arbitrary shell scripts on the target computer

- upload an arbitrary file from the victim’s hard drive to a remote server

- update itself to a newer version

Threat Analysis

CoinThief is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

CoinThiefosx.cointhief

External Intelligence

Malpedia: osx.cointhief

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
CoinThief — APT / Threat Group | Threat Intelligence | CTIWATCH.COM