Threat actors are using comments on Pastebin to promote a scam that tricks cryptocurrency users into running malicious JavaScript on Swapzone.io, hijacking Bitcoin transactions. The attack, a variant of ClickFix techniques, redirects funds to attacker-controlled wallets while mimicking legitimate arbitrage profits. This appears to be the first known instance of such a browser-based ClickFix targeting crypto exchanges.
On February 15, 2026, BleepingComputer reported a campaign where attackers post comments on various Pastebin entries, claiming to share "leaked exploit documentation" for earning $13,000 in two days through a supposed arbitrage flaw on Swapzone.io. These comments link to a URL on rawtext[.]host, which redirects to a Google Docs page titled "Swapzone.io – ChangeNOW Profit Method." The document falsely describes exploiting an outdated backend node on ChangeNOW, connected via Swapzone's API.
The guide quotes: "ChangeNOW still has an older backend node connected to the Swapzone partner API. On direct ChangeNOW, this node is no longer used for public swaps." It further claims: "However, when accessed through Swapzone, the rate calculation passes through Node v1.9 for certain BTC pairs. This old node applies a different conversion formula for BTC to ANY, which results in ~38% higher payouts than intended."
Victims are instructed to visit paste[.]sh, copy a JavaScript snippet, return to Swapzone.io, and execute it by typing "javascript:" in the browser's address bar followed by the code, then pressing Enter. This leverages the browser's 'javascript:' URI to run the script on the loaded page.
Analysis reveals the script loads an obfuscated payload from https://rawtext[.]host/raw?btulo3, which injects into Swapzone's Next.js interface. It replaces legitimate deposit addresses with attacker-controlled Bitcoin wallets and alters displayed exchange rates to simulate the promised profits. Users see a normal interface but send funds to scammers.
This scam adapts ClickFix attacks—typically used to run OS commands for malware installation—into a browser-focused method to intercept crypto swaps. As Bitcoin transactions are irreversible, affected users have no straightforward recovery options. The campaign has been active over the past week, with documents showing 1 to 5 viewers at a time.
