Cybercriminals are actively conducting a sophisticated social engineering campaign designed to steal cryptocurrency from users by impersonating legitimate AI, gaming, and Web3 startup companies. This elaborate scheme involves creating highly convincing fake online presences, including spoofed social media accounts on platforms like X (formerly Twitter), and professional-looking project documentation hosted on legitimate services such as Notion and GitHub. The ultimate goal is to trick unsuspecting individuals into downloading malware, which then silently exfiltrates digital assets from their Windows and macOS devices.
This campaign has been ongoing for some time, with earlier iterations dating back to at least March 2024.
The attack chain typically begins with one of these fake company accounts initiating contact with a prospective victim via messaging apps like X, Telegram, or Discord. The attackers entice targets by offering them a cryptocurrency payment in exchange for “testing” their purported software. If the user agrees, they are directed to a fabricated website where they’re prompted to enter a registration code to download either a malicious Windows Electron application or an Apple disk image (DMG) file, depending on their operating system. This seemingly innocuous download is the conduit for delivering the stealer malware.
On Windows systems, opening the malicious application presents a fake Cloudflare verification screen while secretly profiling the victim’s machine and installing an information-stealing payload. For macOS users, the attack deploys the notorious Atomic macOS Stealer (AMOS), a sophisticated infostealer capable of siphoning documents, browser data, and cryptocurrency wallet information, sending it to external servers. The macOS variant also includes a mechanism for establishing persistence through a Launch Agent, ensuring the malicious application runs automatically upon user login, and continuously logs application usage and user interaction timestamps.
The effectiveness of this campaign lies in its meticulous attention to detail in crafting the fake companies.
These non-existent entities, such as “Eternal Decay” and “BeeSync,” create a strong illusion of legitimacy by sharing digitally altered images of conference presentations, maintaining professional websites with fake employees, product blogs, whitepapers, and roadmaps. They even leverage compromised, verified X accounts to lend an air of authenticity to their communications, making it incredibly difficult for targets to discern the fraud.
This ongoing threat highlights the lengths to which cybercriminals will go to deceive victims and steal their digital assets. While direct attribution to specific threat groups like “Crazy Evil” remains unconfirmed, the observed tactics and use of evasive malware versions bear strong similarities to their methods. The campaign underscores the critical need for cryptocurrency users to exercise extreme caution, verify the authenticity of any company offering investment or testing opportunities, and be wary of unsolicited messages and software downloads.
Reference:
