Lithuanian Arrested After KMSAuto Malware Steals $1.2M

South Korean authorities have arrested a 29-year-old Lithuanian national accused of distributing clipboard-stealing malware through trojanized Windows activation tools. The suspect was extradited from Georgia under Interpol coordination after a five-year investigation that traced $1.2 million in stolen cryptocurrency back to roughly 2.8 million infected systems.

The case demonstrates how pirated software remains one of the most reliable malware distribution vectors—and how patient investigators can eventually catch operators who think they've gotten away clean.

How the Scam Worked

The suspect allegedly embedded clipper malware into KMSAuto, a widely-used tool for illegally activating Windows and Microsoft Office installations. Users downloading what they thought was a simple activation bypass instead got persistent malware that monitored their clipboard.

When victims copied a cryptocurrency wallet address—common when making transfers—the malware silently replaced it with an attacker-controlled address. The victim would paste what they assumed was the correct address, confirm the transaction, and watch their funds disappear to a stranger's wallet.

The attack required no further interaction after initial infection. Victims had no indication anything was wrong until they noticed their crypto never arrived at its intended destination.

The Numbers

Between 2020 and 2023, the trojanized KMSAuto was downloaded approximately 2.8 million times worldwide. Not every download led to successful theft—many victims may not have owned cryptocurrency or never made transfers while infected.

But for those who did, the losses were significant. South Korean authorities documented 8,400 fraudulent transfers from 3,100 wallets, totaling roughly 1.7 billion Korean won ($1.2 million). Eight South Korean victims alone lost 16 million won through the scheme.

The investigation began in August 2020 when a victim reported losing 1 Bitcoin—then worth about 12 million won—after malware automatically substituted the destination address during a transaction.

Five Years to Catch One Operator

Building the case took time. Investigators had to trace stolen cryptocurrency through multiple wallets and exchanges, identify the source of the malware, and eventually connect the digital breadcrumbs to a physical person.

In December 2024, authorities raided a location in Lithuania and seized 22 items including laptops and mobile phones. Forensic examination of those devices produced the evidence needed for arrest. The suspect was taken into custody in April 2025 while traveling from Lithuania to Georgia.

Extradition brought him to South Korea, where the investigation originated and where he now faces prosecution.

The Piracy Trap

KMSAuto targets people already willing to skirt licensing laws. That creates a perfect victim pool: users who downloaded illegal software are less likely to report problems to authorities, fearing their own liability. They're also less likely to have robust security software that might detect the malware.

The threat actor exploited this dynamic perfectly. By embedding malware in a tool that itself circumvents security controls, they found millions of users who had already demonstrated willingness to run untrusted executables.

This isn't a new technique. Trojanized piracy tools have distributed everything from ransomware to banking trojans for years. But the scale of this particular campaign—2.8 million downloads—shows how effective the vector remains.

Lessons for Organizations

While individual consumers were the primary victims here, the case has implications for enterprises too. Shadow IT, including unlicensed software, exists in more organizations than security teams would like to admit. Users who install KMSAuto at home might bring similar habits to work devices.

The mitigation is straightforward: proper software licensing combined with endpoint detection that flags known malicious tools. Microsoft's own licensing enforcement has improved significantly, reducing the temptation to seek activation bypasses. But for organizations still running legacy Windows deployments, auditing for unauthorized activation tools remains worthwhile.

For individuals, the message is simpler: if you're not paying for software, you might be paying in other ways.