Software pirates looking to score a free copy of Microsoft Windows are running afoul of malware-riddled "activation tools" that empty their crypto wallets.

According to security research firm Red Canary (via PC World), infections of systems with the well-known Cryptbot malware have been traced back to a fake KMSPico installer—a tool used by software pirates to activate the full features of Microsoft Windows and Office products without owning a license key.

Since security tools usually block KMSPico as a Potentially Unwanted Program (PUP), the software comes with instructions to disable antivirus and anti-malware software—allowing Cryptobot to run rampant on the system.


Once introduced to a system, Cryptbot scours it for credentials and other sensitive information, including cryptocurrency wallets. The list of wallets at risk from Cryptbot is extensive and includes the likes of Electrum, Monero, Exodus, and Ledger Live, as well as other applications such as web browsers (including Google Chrome, Mozilla Firefox, Brave and Opera).

Since the KMSPico installer leverages Windows Key Management Services (KMS)—a legitimate technology used for bulk licensing across enterprise networks—some IT departments that actually had legitimate licenses reportedly used the illicit tool to activate their systems, inadvertently corrupting their systems with Cryptbot.

Malware targets crypto

Given the lucrative potential rewards involved in cryptocurrency, malware has been a perennial thorn in the side of crypto users. Schemes have ranged from crypto-mining malware that ties up system resources to fraudulent crypto apps designed to setal users' private keys.

In one recent case, a man sued the parents of two teenagers who he claims used malware to steal $800,000 worth of Bitcoin.


In the case of the infected KMSPico installer, taking shortcuts and trying to get access to software without shelling out for a license could end up being extremely costly for crypto users.

Stay on top of crypto news, get daily updates in your inbox.