Cybersecurity researchers are warning of a novel social engineering campaign that leverages Pastebin comments to trick cryptocurrency users into executing malicious JavaScript in their browser — ultimately allowing attackers to hijack crypto swap transactions and steal funds.

Overview of the Threat

In mid-February 2026, analysts observed a widespread campaign in which threat actors are leaving seemingly innocuous comments on Pastebin posts. These comments promote a supposed arbitrage exploit for Swapzone.io — a cryptocurrency swap service — claiming users can earn significant profits quickly. Behind the scenes, however, the links and instructions lead to steps that execute attacker-controlled JavaScript code.

Traditionally, ClickFix attacks are a type of social engineering scam that convince victims to copy and paste malicious commands into a command prompt or terminal. This latest campaign represents a significant evolution: instead of targeting the operating system with PowerShell or shell scripts, the attacker is convincing victims to execute JavaScript in their web browser.

How the Attack Operates

The malicious chain leverages human trust and browser behavior rather than exploiting software bugs:

1. Pastebin as a Delivery Vector:
   Comments on Pastebin posts contain links to resources hosted on rawtext[.]host — a site serving the JavaScript payload. These are accompanied by claims of a profitable exploit or leaked exploit documentation.
2. Fake Instructions Appearing Legitimate:
   Victims are directed to a Google Docs page containing detailed instructions to navigate to Swapzone.io and execute JavaScript directly in the address bar using the javascript: URI scheme.
3. Execution of Malicious Code:
   Once pasted and executed in the browser while on the Swapzone site, the malicious script overrides legitimate client-side JavaScript. It alters the swap UI and transaction logic in real time.
4. Hijacking Funds:
   The injected script manipulates key elements of the swap transaction — including replacement of the generated Bitcoin deposit address with one controlled by the attacker. Because cryptocurrency transactions are irreversible, funds sent to these attacker addresses are effectively lost.

Technical Roots and Novelty

What makes this campaign notable is not only its use of Pastebin comments — a trusted code-sharing venue — but also the adaptation of the ClickFix social engineering technique into the browser context. Traditionally, ClickFix tricks rely on tricking users into executing system commands; in this case, attackers instead get users to execute arbitrary JavaScript within a legitimate web session.

This method allows the malicious code to directly interact with a live DeFi interface, modifying UI elements and data invisibly under the hood. Legitimate page elements appear normal to the user, while behind the scenes the swap logic is manipulated.

Why It Works

• Trust in Code-Sharing Platforms: Many developers and crypto enthusiasts routinely browse sites like Pastebin for code snippets without considering malicious content.
• Social Engineering Leveraging Greed: Promises of quick profit are a classic lure, especially in the cryptocurrency community where high gains can be alluring.
• Browser Execution: Unlike traditional malware that needs installation privileges, this attack uses the browser’s own scripting environment, lowering the bar for exploitation.

Countermeasures and Mitigations

Users and operators within the DeFi and crypto space should adopt defensive behaviors:

• Never Run Unverified JavaScript: Avoid executing code snippets or instructions copied from third-party comments or forums — especially those promising financial gain.
• Verify URLs and Sources: Always ensure that links and guides originate from trusted sources; do not trust embedded Pastebin links without scrutiny.
• Educate on Social Engineering: Awareness of social engineering tactics like ClickFix helps users recognize and avoid misleading prompts.
• Use Hardware Wallets and Off-Chain Signing: Interacting through hardware wallets or transaction signing tools can reduce exposure to client-side manipulation.

Final Thoughts

This Pastebin-driven ClickFix variant underscores how threat actors continue to innovate by merging social engineering with technical manipulation in unorthodox ways. As decentralized finance platforms grow in adoption, malicious campaigns are likely to become more sophisticated and targeted, making user education and security hygiene more critical than ever.