International cooperation halts global malware campaign distributed via KMSAuto

Approximately 2.8 million systems worldwide were infected by a large-scale malware campaign between April 2020 and January 2023. This was carried out using a malicious executable hidden in KMSAuto, an unofficial tool used to activate Microsoft software. The malware was created with the purpose of monitoring the user's clipboard and replacing copied cryptocurrency wallet addresses with others under the attacker's control. In this way, funds were diverted in legitimate transactions. The operation was detected and investigated by the authorities, being reported in security reports and official statements at the end of 2025, after the details of the case and its consequences were revealed.

The South Korean National Police, in collaboration with Interpol, conducted a lengthy investigation that ultimately led to a 29-year-old Lithuanian suspect. Investigations established that the malware had an impact on users in more than six countries and compromised nearly 3,100 virtual asset addresses, with around 8,400 fraudulent transactions and losses valued at approximately $1.2 million for those affected. In response, law enforcement agencies issued an international arrest warrant and extradited the suspect to South Korea, where he was prosecuted and officially arrested.

Following the detection of the suspect, the campaign has been dismantled, marking significant progress in the battle against this type of international cybercrime operation. Official statements and the investigation have been useful in warning the public about the dangers of using unofficial and pirated tools, which can become vectors for malware attacks, as well as in determining the extent of the infections. The authorities have expressed their desire to continue working with international entities in the future to pursue other possible suspects, strengthen preventive measures, and warn users about unsafe practices.