Threat actors abuse Pastebin for ClickFix scam on crypto swaps

On February 15, 2026, BleepingComputer reported a campaign where attackers post comments on various Pastebin entries, claiming to share "leaked exploit documentation" for earning $13,000 in two days through a supposed arbitrage flaw on Swapzone.io. These comments link to a URL on rawtext[.]host, which redirects to a Google Docs page titled "Swapzone.io – ChangeNOW Profit Method." The document falsely describes exploiting an outdated backend node on ChangeNOW, connected via Swapzone's API.

The guide quotes: "ChangeNOW still has an older backend node connected to the Swapzone partner API. On direct ChangeNOW, this node is no longer used for public swaps." It further claims: "However, when accessed through Swapzone, the rate calculation passes through Node v1.9 for certain BTC pairs. This old node applies a different conversion formula for BTC to ANY, which results in ~38% higher payouts than intended."

Victims are instructed to visit paste[.]sh, copy a JavaScript snippet, return to Swapzone.io, and execute it by typing "javascript:" in the browser's address bar followed by the code, then pressing Enter. This leverages the browser's 'javascript:' URI to run the script on the loaded page.

Analysis reveals the script loads an obfuscated payload from https://rawtext[.]host/raw?btulo3, which injects into Swapzone's Next.js interface. It replaces legitimate deposit addresses with attacker-controlled Bitcoin wallets and alters displayed exchange rates to simulate the promised profits. Users see a normal interface but send funds to scammers.

This scam adapts ClickFix attacks—typically used to run OS commands for malware installation—into a browser-focused method to intercept crypto swaps. As Bitcoin transactions are irreversible, affected users have no straightforward recovery options. The campaign has been active over the past week, with documents showing 1 to 5 viewers at a time.