Listen to this Post
A New Breed of Cybercrime Is Targeting Crypto Users Worldwide
A new wave of cyberattacks is sweeping through the crypto community, exposing thousands of investors and Web3 employees to malware hidden in what appear to be legitimate startup ventures. Ongoing research by Darktrace reveals a dangerous, evolving campaign that leverages fake AI and blockchain brands to distribute info-stealing malware across multiple platforms. This operation, initially discovered by Cado Security Labs under the “Meeten” campaign in 2024, has since grown into a complex web of deception that mimics real startups, complete with polished branding, technical content, and active social media profiles.
These sophisticated scams prey on trust by impersonating verified tech companies, offering users early access to promising new tools in exchange for small crypto payments. Victims are lured through professional-looking messages on platforms like X, Discord, and Telegram, then directed to sleek, branded websites that hide malicious software downloads. Whether on Windows or macOS, the malware is designed to silently compromise the victim’s system, steal crypto wallet credentials, browser data, documents, and more — all while posing as innovative products in AI, gaming, or DeFi sectors.
Darktrace warns that this campaign is not just opportunistic but part of a broader, organized strategy potentially linked to traffer groups like “CrazyEvil,” known for scalable malware distribution models. The goal is clear: exploit the hype surrounding Web3, trick users into installing malicious payloads, and siphon off digital assets before anyone notices. With code signing certificates stolen from real companies, reuse of malware across multiple fake brands, and clever social engineering tactics, this campaign is more deceptive and effective than anything the crypto world has seen before.
Social Engineering Meets Malware: A New Threat Model
Cybercriminals are now building entire startup ecosystems as part of their attack strategy. These faux companies aren’t just random scams — they’re complete digital facades with websites, GitHub pages, Medium blogs, Notion documentation, and even online stores. They leverage legitimate-looking promotional content and stolen branding to manipulate their victims into trusting their offerings.
Weaponizing X, Telegram, and Discord
Attackers begin their campaign by using verified or hijacked accounts on platforms like X (formerly Twitter), Telegram, and Discord to contact potential victims. Posing as employees of innovative startups, they promise crypto incentives for helping test a new product. This approach adds a layer of legitimacy that makes the scam especially convincing to Web3 developers, investors, and users.
The Malware Delivery Mechanism
After gaining the
On macOS, the attack is even more sophisticated. Victims receive a DMG file containing an obfuscated bash script that executes AppleScript to mount and launch a hidden binary. This installs the Atomic Stealer malware, which siphons off everything from browser cookies and documents to sensitive credentials and crypto wallets. Persistence is maintained through launch agents, keeping the victim compromised long-term.
Professional Branding, Fraudulent Intent
These criminal groups go to great lengths to appear legitimate. They plagiarize whitepapers, create realistic investor materials, and stage fake conference presentations. Some even launch online merchandise stores and link to fraudulent entries on official business registries. This level of detail is designed to trick not only users but also automated detection systems and cybersecurity researchers.
Evidence of Coordination and Scale
Repeated use of malware, templates, and branding across different fake companies shows a coordinated infrastructure at work. Many of these tactics are linked to traffer groups — collectives that focus on funneling internet traffic to malware installs in exchange for profits. While not confirmed, the similarity to CrazyEvil’s operations is striking, especially in terms of scalability, multi-platform support, and targeted focus on crypto and gaming users.
Identified Malicious Infrastructure
Security researchers have uncovered dozens of domains and IP addresses associated with this campaign. These include fake company sites like manboon[.]com, malware hosts like isnimitz.com/zxc/app[.]zip, and exfiltration endpoints such as 45[.]94[.]47[.]112/contact. These indicators help cybersecurity teams flag and isolate potential threats but also underscore the vastness of the infrastructure supporting this operation.
Implications for the Crypto Community
This campaign highlights how deeply cybercriminals have embedded themselves into the Web3 ecosystem. By mimicking the look and feel of real tech startups, they’re able to penetrate even the most security-conscious circles. As these tactics become more convincing, the need for robust cybersecurity awareness and threat detection across the crypto space becomes more urgent than ever.
What Undercode Say:
The recent malware campaign targeting Web3 users reflects a paradigm shift in cybercrime tactics. What once relied on crude phishing emails now manifests as full-scale digital theater, complete with meticulously crafted personas, websites, and communication strategies. The blending of social engineering and malware development is particularly alarming, as it exploits both human psychology and technological blind spots.
One of the most dangerous aspects of this campaign is the use of verified social media accounts and real company certificates. These details would typically act as trust signals, especially in decentralized and fast-moving sectors like Web3. By hijacking or mimicking these elements, attackers are effectively bypassing conventional red flags that users rely on to assess legitimacy.
The malware’s cross-platform capability also speaks to the
Another dimension worth noting is the psychological manipulation involved. The promise of earning cryptocurrency by testing new software taps into both the financial motivation and the tech enthusiasm of Web3 communities. This psychological bait is as powerful as the technical exploit, especially in a culture that values innovation and early adoption.
Furthermore, the campaign’s structure — repeated use of the same malware codebase across different fake entities — suggests a centralized backend where tools, branding kits, and distribution strategies are shared. This makes mitigation more challenging, as shutting down one domain or IP has little effect on the broader ecosystem.
The apparent link to traffer groups like CrazyEvil aligns with known monetization models in cybercrime. These groups operate like businesses themselves, constantly refining their outreach and delivery techniques to maximize payload installations. Their interest in the crypto space is not surprising, given the pseudonymous nature of digital assets and the high reward-to-risk ratio.
To combat such threats, Web3 companies must implement stronger verification protocols for third-party software. Meanwhile, users should remain highly skeptical of unsolicited offers, especially those that involve downloading software outside of trusted ecosystems. Cold messages on X or Discord, no matter how professional they appear, should be treated with extreme caution.
The scale, sophistication, and persistence of this campaign mark a new era in digital deception. The community must respond not only with better tools but also with better education. Cybersecurity is no longer just the responsibility of technical teams — it is now a shared duty across all participants in the decentralized economy.
🔍 Fact Checker Results:
✅ The malware campaign is confirmed by Darktrace and Cado Security Labs.
✅ Code signing certificates used in the attack were verified as stolen.
❌ No definitive proof yet links the operation directly to the CrazyEvil group.
📊 Prediction:
As long as the Web3 space continues to attract high-value assets and early adopters, campaigns like this will evolve and persist. Future attacks will likely leverage generative AI to create even more realistic branding and communications, making it harder for victims to discern truth from deception. Expect increased targeting of NFT developers, DAO contributors, and Layer-2 infrastructure firms in the next wave.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
