Making printers and stealing crypto: what Procolored was really up to

The Chinese company Procolored became one of the most popular printer manufacturers in its seven years of existence. Their products had a good balance of price and quality. But, it turned out that Procolored was also engaged in illegal activities. GetBlock AML Research tells how the manufacturer got caught in a massive cryptocurrency theft.

Fair name

Procolored started producing printers back in 2018 and quickly conquered the market. The manufacturer mainly focused on fabric printing and produced related products. Until 2024, the company was not seen in any dubious affairs. Its products were exported to 31 countries.

At the end of 2024, owners of Procolored printers encountered problems installing drivers (special software for proper operation of the devices). Antivirus systems identified the drivers as malware and moved them to quarantine. Because of this, users were unable to configure their printers.

Official repository with Procolored drivers on Mega file share

The secret is out

In one of the Reddit threads, a popular YouTube blogger under the nickname Coward reported the problem described above. When buying a new model of Procolored printer, he was unable to install the driver that came on a flash drive with the device. The blogger encountered a similar problem when trying to download the driver from the official Procolored website.

A thorough analysis of the driver showed that it contained 39 infected files with the XRedRAT remote access trojan and the SnipVex clipper, which replaces the copied cryptocurrency address in the clipboard with the kidnappers’ wallet. Drivers for the following Procolored models were infected: F8, F13, F13 Pro, V6, V11 Pro and VF13 Pro.

SnipVex clipper source code in Procolored driver files

Procolored’s response

Following the discovery of viruses in printer drivers, Procolored removed the infected software from their website and announced the launch of an internal investigation. According to the manufacturer’s preliminary version, the malicious files got into the software they were distributing by accident, as the developers’ computers were themselves infected. On the same day, clean versions of the drivers appeared on the manufacturer’s website.

Onchain analysis

One of the attackers’ addresses (1BQZZKqdp2CV3QV5nUEsqSg1ygegLmqRygj) that was found in the infected driver belongs to the US exchange Coinbase, according to Arkham. The wallet was created in 2016 and has accepted 9,3 BTC (almost $1 million at the exchange rate as of May 21, 2025) during its existence. These are mostly small amounts ranging from a few dollars to a few hundred dollars. The address was used as a buffer address. After the cryptocurrency was stolen, it was immediately transferred to other disposable wallets.

The amount of damage caused by Procolored’s actions could be much larger. GetBlock AML Research found over 100 other addresses that were used to store stolen funds. All of these addresses are believed to belong to the Coinbase exchange. The highest activity of malicious wallets was observed in 2022 and 2024.