The Extradition of a Memory Thief: How a Fake Windows Tool Stole $1.2M in Crypto

A foreign hacker who stole cryptocurrency worth more than 1.7 billion won (approximately $1.18 million) using malware that covertly replaced wallet addresses has been extradited to South Korea. According to the National Office of Investigation under the Korean National Police Agency, the 29-year-old Lithuanian national was transferred from Georgia and subsequently arrested under a court-issued warrant.

Investigators believe that between April 2020 and January 2023, the suspect distributed malware known as KMSAuto, disguising it as a Microsoft Windows activation tool. The software targeted users who did not rely on legitimate licensing mechanisms and, according to police, was downloaded or installed around 2.8 million times worldwide.

The core technique involved what authorities describe as a “memory hijack.” During a cryptocurrency transaction on an infected computer, the malware automatically replaced the intended wallet address with one controlled by the attacker. As a result, victims sent funds believing the details were correct, while the transfer was silently redirected to the hacker—often going unnoticed until a later review.

South Korean law enforcement reports that more than 3,100 wallet addresses were compromised, with cryptocurrency siphoned off in over 8,400 transactions. The total damage is estimated at approximately 1.7 billion won (about $1.18 million). South Korean residents were among the victims: eight individuals collectively lost around 16 million won (roughly $11,000).

The investigation began in August 2020 after a user reported the loss of one bitcoin—worth about 12 million won (approximately $8,300) at the time—when a transfer unexpectedly went to a different address. Subsequent analysis traced the movement of the stolen assets across six countries, including through domestic cryptocurrency exchanges, and identified seven additional Korean victims.

Once the suspect was identified, South Korean police coordinated with Lithuania’s Ministry of Justice, prosecutors, and law enforcement in December 2024. A search of the suspect’s residence in Lithuania led to the seizure of 22 items, including mobile phones and laptops. To bring him to justice in South Korea, authorities requested an Interpol Red Notice, and in April, Georgian police detained the man after he entered the country. Seoul then formally sought extradition, and, according to officials, after five years and four months of investigation, the suspect was ultimately brought to South Korea.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy