Skip to main content

Fake US government bitcoin scam spreading trojan through Twitter

Don't be caught out! A new Trojan has been spreading through Twitter, claiming to link to an article about the US Government cracking down on bitcoin.

The alert was raised today by security firm Malwarebytes.

The tweet, which you may already have seen, reads: "USA Government trying to shut down Bitcoin network read more here:" with a link to a malicious site.

If users click on the link, they're taken to a fake Wall Street Journal video which is a pretty convincing mock-up.

However, if you take a look at the URL you can see that it's a site called "" a website for a business in Thailand, although actually visiting the source domain leads to nothing more than a black screen. Clearly the site was compromised.

The majority of the accounts pushing the fake tweet are clearly fake, but some legitimate users are retweeting the link without even checking what's in it.

The video is designed to look like it's loading, but shortly after a pop-up to install Adobe Flash Player will appear.

Clicking the "Install" button gives the user the option to download the flash player files, which then leads to them downloading a RAR file that includes four files: two DLLs, a ReadMe.htm file and a file called Install_Adobe_Flash_Player.exe. This last one is the dangerous payload. The moment you launch it, the file itself is relocated to the systems Temp folder and made hidden.

Malwarebytes have said that the Trojan itself looks to be a remote access Trojan, possibly related to the Darkcomet RAT.

If you're worried about malware, check out our list of 3 security tools you must have before you go online.