South Korean authorities, in cooperation with international law enforcement, have successfully extradited a 29-year-old Lithuanian national accused of orchestrating a sophisticated cryptocurrency theft scheme that stole roughly $1.8 million in digital assets.
A Malware Scheme Hidden in Plain Sight
According to investigators, the suspect developed and distributed a piece of malicious software called “KMSAuto” — a program that appeared to be a tool for activating Microsoft Windows systems but in reality contained malware designed to steal cryptocurrency.
The malware was disguised as legitimate software to attract users seeking to bypass Windows licensing. Once installed, it used advanced memory-hacking techniques to automatically replace victims’ intended cryptocurrency wallet addresses with the attacker’s addresses during digital currency transactions — all happening in real time without users noticing.
Authorities estimate that:
- The malware was downloaded over 2 million times worldwide, mainly by users of unlicensed Windows activation tools.
- More than 3,100 cryptocurrency wallets were compromised.
- The suspect intercepted approximately 840 transactions totaling about 1.7 billion won (around $1.8 million) in stolen digital assets.
- At least eight victims in South Korea alone lost a combined 16 million won in cryptocurrency.
A Multi-Year, Cross-Border Hunt
The crime came to light in August 2020, when a South Korean victim reported losing a Bitcoin to an unknown wallet address. Subsequent complaints revealed a pattern of diverted transactions.
South Korea’s National Office of Investigation (NOI) launched a lengthy probe that spanned multiple countries. Using digital forensic analysis, law enforcement traced stolen assets through cryptocurrency exchanges in six different countries.
In collaboration with:
- Lithuania’s Ministry of Justice, prosecutors, and police, and
- Interpol, which issued a Red Notice,
Korean authorities identified the suspect and coordinated a raid on his residence in Lithuania in late 2024.
During the operation, law enforcement seized 22 electronic devices — including laptops and mobile phones — believed to be connected to the theft scheme.
Once detained, the Lithuanian national was formally extradited to South Korea to face prosecution, marking the successful conclusion of a five-year international investigation.
Broader Implications for Crypto Security
This case highlights the growing sophistication of malware and cybercrime within the cryptocurrency ecosystem. Cybercriminals are deploying more advanced tactics to intercept digital transactions, often leveraging trusted software disguises to infect victims.
It also underscores the importance of:
- Downloading software only from trusted, official sources
- Implementing robust anti-malware protections
- Exercising caution when using third-party activation tools or pirated software
While $1.8 million may be modest compared to some historical crypto heists, the method used here — silently swapping wallet addresses in real time — reflects how everyday users remain at risk if basic cybersecurity hygiene is neglected.