A sophisticated crypto scam is targeting users through fake AI, gaming, and Web3 startup companies, according to new findings by cybersecurity firm Darktrace.
The campaign lures victims into downloading malware disguised as legitimate applications, ultimately draining their cryptocurrency wallets.
To build credibility, threat actors create professional-looking fake companies using compromised and verified X (formerly Twitter) accounts, along with content on platforms like Medium, Notion, and GitHub. These accounts and pages often feature whitepapers, fabricated team bios, and even doctored event photos to bolster their appearance of legitimacy.
The deception continues as victims are approached via social platforms such as X, Telegram, or Discord. Scammers pose as company employees, offering cryptocurrency payments in exchange for testing new software. Once victims accept, they are directed to download a malicious application tailored for either Windows or macOS.
On Windows, the malware is packaged as an Electron app that profiles the victim’s system before delivering an info-stealing payload. On macOS, the malware identified as Atomic Stealer is embedded in a disguised DMG file and executes via a heavily obfuscated bash script. Both versions are capable of exfiltrating browser data, documents, and private keys from crypto wallets, transmitting them to remote command-and-control servers.
Several fake companies have been linked to the campaign, including Pollens AI, Buzzu, Swox, and Eternal Decay. In some cases, the attackers reused logos, GitHub code, and even forged investor lists. They also employed stolen code-signing certificates to evade security detection.
IMG TXT: Example of a compromised X account to create a “BuzzuAI” employee. Source: Darktrace
Although attribution remains uncertain, the tactics align closely with those used by the traffer group “CrazyEvil,” known for targeting cryptocurrency users through social engineering and fake software schemes.
This incident coincides with news from the UK, where a British court has sentenced two men from Greater London, Raymondip Bedi and Patrick Mavanga, for running a crypto investment fraud. Between 2017 and 2019, they stole over £1.54 million (about $2.1 million) from at least 65 victims by cold-calling and falsely promising high, risk-free returns.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
