Table of Contents
Cybercriminals Exploit Crypto Trust with Fake AI and Web3 Startups
A significant cybercrime initiative is underway, targeting cryptocurrency enthusiasts by luring them into downloading malicious software disguised as offerings from fictitious AI and Web3 startups. New research from Darktrace reveals that these sophisticated scams leverage polished websites, phoney social media accounts, and misleading outreach strategies to establish credibility and deceive users.
The Tactics of Deception
Users are primarily contacted through platforms like X (formerly Twitter), Telegram, or Discord by individuals impersonating staff from these fraudulent companies. They invite victims to "test" early software versions in return for cryptocurrency incentives, prompting unsuspecting users to download infected files from the counterfeit company websites.
Inside the Malware Operations
Upon downloading, the Windows variant activates a verification prompt reminiscent of Cloudflare, and subsequently runs an MSI installer. This silently extracts intricate system information while deploying information-stealing malware. Notably, these programs often utilise stolen digital signatures from actual enterprises, such as Jiangyin Fengyuan Electronics and Paperbucketmdb ApS, further misleading victims.
On macOS, the scam involves a deceptive DMG file that installs a variant of Atomic Stealer. This software is designed to examine browser data, cookies, and sensitive documents, including crypto wallet credentials. The compromised data is then compressed and relayed to remote servers. The malware also ensures continuity through macOS Launch Agents, which enable it to restart automatically during system logins.
Identifying the Fake Brands
Darktrace uncovered a variety of counterfeit companies involved, including names like "Pollens AI," "Swox," "Wasper," "Lunelior," and "Eternal Decay." The last mentioned has even shared falsified conference photographs and gameplay clips pilfered from unrelated video games, emphasizing the elaborate nature of these scams.
Although pinpointing the exact attackers is challenging, their methods bear resemblance to those of the known trafficking group CrazyEvil. This group has previously demonstrated a talent for extracting millions through parallel social engineering and malware tactics, specifically aimed at crypto investors and DeFi participants. The term "traffer" refers to cybercriminals who excel at directing traffic towards malicious downloads that compromise user data.
By emulating legitimate corporate structures and co-opting trusted social media platforms, these criminals have devised a notably effective technique for siphoning cryptocurrency from both Windows and Mac users.
Conclusion
As the crypto space continues to evolve, so too do the threats against it. Vulnerable users must remain vigilant against these deceptive schemes that masquerade as genuine opportunities. By recognising the signs of such scams and exercising caution when interacting online, individuals can better protect themselves against the rising tide of cybercrime focused on the cryptocurrency sector.
