Ongoing Social Engineering Attack Targets Cryptocurrency Users
Cryptocurrency users are facing a persistent social engineering attack that utilizes fake startup companies to deceive individuals into downloading malware capable of draining their digital assets from both Windows and macOS platforms. According to a report by Darktrace, researcher Tara Gould revealed that these malicious schemes mimic legitimate firms in the fields of artificial intelligence, gaming, and Web3, employing counterfeit social media accounts and authentic project documentation hosted on platforms such as Notion and GitHub.
Evolution of the Scams
This intricate social media con has been operational for some time, with a previous version surfacing in December 2024. That earlier variant exploited fake videoconferencing tools to lure victims into a meeting under the guise of discussing investment opportunities, having initially contacted them through messaging applications like Telegram. Those who downloaded the supposed meeting software unknowingly fell victim to stealer malware, including one known as Realst. The campaign, referred to as “Meeten” by Cado Security—which was acquired by Darktrace earlier this year—was named after one of the fraudulent videoconferencing platforms utilized in the scheme. Evidence suggests that this activity may date back to at least March 2024, when Jamf Threat Labs reported the use of a domain named “meethub[.]gg” to propagate Realst.
Broader Themes and Techniques Adopted by Attackers
Recent findings from Darktrace indicate that this campaign continues to pose a significant threat and has expanded its themes to include a wider scope related to artificial intelligence, gaming, Web3, and social media. The attackers have also been noted to exploit compromised accounts on platforms like X (formerly Twitter) associated with verified companies and employees, enhancing the perceived credibility of their fraudulent ventures. “They make use of sites that are popular among software companies such as X, Medium, GitHub, and Notion,” Gould emphasized. “Each of these companies presents a professional online presence, complete with profiles of employees, product blogs, whitepapers, and strategic roadmaps.”
Creation of a Deceptive Online Presence
One of the fictitious entities identified in this scheme is Eternal Decay (@metaversedecay), which purports to be a blockchain-based game. This entity has manipulated images on X to create the illusion of participating in various conferences, thereby solidifying its fake online presence. The primary objective is to fabricate an appearance of legitimacy that increases the chances of users falling victim to their schemes. Other fraudulent companies linked to this operation include BeeSync, Buzzu, Cloudsign, Dexis, KlastAI, and several others, each with their own deceptive social media accounts.
How the Attack Chains Function
The attack sequences commence when these adversary-controlled accounts reach out to potential victims via platforms like X, Telegram, or Discord, enticing them to test the software in exchange for cryptocurrency compensation. If the target shows interest, they are redirected to a fictitious website where they are prompted to enter a registration code provided by the impersonating employee to download either a Windows Electron application or an Apple disk image (DMG) file, contingent on the user’s operating system. For Windows users, opening the malicious application presents a Cloudflare verification screen while it stealthily collects system information and initiates the download and execution of an MSI installer. Although the specific nature of the payload remains uncertain, it is believed that an information-stealing program is activated at this stage.
MacOS Version of the Attack
Conversely, macOS users are directed to install the Atomic macOS Stealer (AMOS), a known malware that can extract documents and data from web browsers and cryptocurrency wallets, subsequently sending this information to an external server. The DMG file also includes a shell script designed to establish persistence on the infected system using a Launch Agent, ensuring that the application launches automatically upon user login. This script further retrieves and executes an Objective-C/Swift binary that logs application usage and interaction timestamps, which are then transmitted to a remote server.
Similarities to Other Malware Campaigns
Darktrace has also pointed out that this campaign shares tactical similarities with those executed by a group known as Crazy Evil, which is infamous for tricking victims into installing malware like StealC, AMOS, and Angel Drainer. “While it is not definitively clear if these campaigns can be directly linked to Crazy Evil or its subgroups, the tactics employed are consistent,” Gould noted. “This campaign underscores the lengths to which threat actors will go to create convincing facades for these fake businesses in order to steal cryptocurrency from unsuspecting victims, alongside their use of advanced evasive malware versions.”
