BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Crypto-Stealing Malware Has Quietly Become an Enterprise Treasury Problem

Threat Intelligence

Clipboard hijackers, browser extension theft, and wallet drainers have evolved from consumer-grade nuisance into a credible threat to enterprise treasury, payroll, and crypto-adjacent business operations.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 23, 2024 · 6 min read

#cryptocurrency#malware#threat-intelligence

A Web3 startup we advise had their treasury wallet drained in November of last year. $2.4M gone in a single transaction. Forensics showed the CFO had clicked a Discord link about a partnership opportunity, signed a transaction in their MetaMask popup that looked like a routine token approval, and authorized an unlimited spend allowance for a malicious contract. The drainer kit that built the phishing flow was rented from a Telegram channel for 15 percent of stolen funds.

Crypto-stealing malware used to be predominantly a consumer problem: clipboard hijackers swapping wallet addresses on individuals, infostealers grabbing wallet.dat files from gamers. That base layer still exists, but the threat has matured into something corporate finance teams need to take seriously, especially as more enterprises hold crypto on balance sheet, accept stablecoin payments, or run treasury operations through onchain protocols.

The four current attack patterns

Clipboard hijackers: malware monitors clipboard for anything resembling a wallet address (BTC, ETH, USDT regex) and silently substitutes the attacker's address. The user pastes, sends, and the funds go to the wrong destination. Still highly effective against finance staff who copy-paste addresses.
Browser extension theft: infostealers extract MetaMask, Phantom, and similar wallet extension data including encrypted seed phrases. Brute-forcing the password offline is then often feasible if the password is weak.
Wallet drainer kits: malicious dApps that prompt users to sign transactions which appear benign but actually grant unlimited spend approvals on tokens. Inferno Drainer, Pink Drainer, Angel Drainer were the dominant kits through 2024-2025; new variants continue to appear.
Direct private key extraction: targeted intrusions into orgs holding hot wallets, with the attacker locating wallet files, environment variables, or HSM credentials that allow direct fund movement.

Why enterprise treasury is now in scope

The shift toward enterprise targeting tracks the increase in corporate crypto exposure. Public companies holding BTC on balance sheet, payment processors moving stablecoin volume, exchanges and custodians, DeFi protocols with treasuries denominated in their own token, NFT projects with unlocked treasury wallets, and increasingly, ordinary businesses accepting USDC as a payment rail. All of these create wallet operators with corporate-scale targets and consumer-grade security practices.

We have seen attacks targeting CFOs and treasury teams via LinkedIn-themed phishing, fake Web3 partnership proposals to founders, compromised vendor contacts asking for payment to a new wallet address, and SIM swap attacks targeting executives at crypto-adjacent companies for SMS-based 2FA on exchange accounts.

Controls that actually work

Hardware wallets are the single highest-leverage control. Any wallet holding more than nominal value (exact threshold varies, but anything you would care about losing) belongs on a hardware wallet, with the device used in air-gapped or near-air-gapped fashion for high-value transactions. Software wallets on internet-connected machines should hold only operating capital.

Multi-signature for treasury: 2-of-3 or 3-of-5 with signers on different devices and ideally different physical locations.
Address allowlisting where the custody platform supports it: outbound transfers can only go to pre-approved addresses, with a time delay for new approvals.
Transaction simulation tools (Wallet Guard, Pocket Universe, Blockaid) integrated into wallet UX to flag drainer-style approvals before signing.
Hardware MFA on all exchange accounts; SMS and TOTP are insufficient against SIM swap and infostealer threats respectively.
Dedicated, hardened workstation for treasury operations: not the CFO's laptop, not shared, not used for email or web browsing.

Detection on the network and endpoint side

Clipboard hijacker detection is feasible: monitor for processes attaching to clipboard with high frequency, watch for wallet-address patterns being modified between copy and paste events. Some EDR products do this natively; others need custom rules. Browser extension theft detection ties back to general infostealer detection (covered in our previous article on that topic).

The drainer kit problem is harder because the malicious activity happens on the blockchain, not on your network. Defenses are primarily user-side: training treasury and finance teams on the specific patterns of approval-based drainers, requiring secondary review for any new contract interaction, and integrating transaction simulation into wallet workflows.

Insurance and incident response

Crypto incidents have specific properties that traditional cyber insurance and IR firms are still adapting to. Funds move in seconds, not days. Recovery is rare, and when it happens, it is via on-chain tracing and exchange cooperation rather than traditional law enforcement. If you hold meaningful crypto value, you need IR partners with on-chain investigation capability and pre-existing relationships with exchanges for rapid freeze requests. Building those relationships during the incident is too late.

Treat any wallet you control as a critical asset. Treat any signature you authorize as an irreversible authorization. The threat actors have already made that adjustment.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.