A sophisticated social engineering campaign is actively targeting cryptocurrency users, employing fake AI, gaming, and Web3 companies to distribute malware. Threat actors leverage seemingly legitimate digital footprints, including professional-looking websites and compromised social media accounts, to trick victims into downloading malicious software that drains crypto wallets on both Windows and macOS systems.

Deceptive Tactics Unveiled

Cybersecurity firm Darktrace has exposed an elaborate scheme where threat actors create fictitious startup companies with convincing online presences. These fake entities, often impersonating AI, gaming, and Web3 firms, utilize a range of deceptive tactics:

• Impersonation: Scammers pose as employees of these fake companies, contacting potential victims via platforms like X (formerly Twitter), Telegram, and Discord.

• Lure: Users are enticed with offers to "test" early versions of software in exchange for cryptocurrency payments.

• Legitimization: To build trust, the fake companies maintain professional-looking websites, complete with product blogs, whitepapers, roadmaps, and even employee profiles. They also host project documentation on legitimate platforms such as Notion and GitHub.

• Compromised Accounts: Verified X accounts, often associated with real companies or employees, are leveraged to approach targets, lending an illusion of credibility.

• Fabricated Content: Examples include "Eternal Decay," a purported blockchain game, which used digitally altered images of legitimate conferences and stolen gameplay content to appear authentic.

Malware Distribution and Impact

Once a victim agrees to test the software, they are directed to a fake website to download the malicious application using a registration code provided by the scammer. The malware distribution varies by operating system:

• Windows Systems: The downloaded Electron application displays a fake Cloudflare verification screen while covertly profiling the machine and executing an MSI installer. This installer deploys an information-stealing malware.

• macOS Systems: A malicious DMG file installs a version of Atomic Stealer, which is designed to siphon browser data, cookies, documents, and, critically, cryptocurrency wallet credentials. The malware also establishes persistence mechanisms to ensure it relaunches upon system login.

Key Takeaways

• The campaign shares tactical similarities with the "CrazyEvil" traffer group, known for similar social engineering and malware schemes targeting crypto and DeFi communities.

• Numerous fake brands have been identified, including "Pollens AI," "Swox," "Wasper," "Lunelior," and "Eternal Decay," among others.

• The attackers use stolen code signing certificates from legitimate companies to increase the software's perceived legitimacy and evade security detection.

• This ongoing threat highlights the sophisticated efforts cybercriminals undertake to exploit the cryptocurrency space, emphasizing the need for extreme caution when interacting with unsolicited offers or unfamiliar software.

Users are strongly advised to exercise vigilance and verify the legitimacy of any company or individual offering cryptocurrency-related opportunities, especially those requiring software downloads. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Elaborate Social Engineering Scam Targeting Crypto Users: Report, Cointelegraph.

• Crypto Wallets Continue to be Drained in Elaborate Social Media Scam, Darktrace.

• Fake AI Startups Hijack Crypto Wallets in Sophisticated Social Engineering Blitz, Crypto News Australia.

• Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord, The Hacker News.

• Fake startups target crypto users, infiltrating their wallets, CryptoRank.