Web3 Job Scam: Fake GrassCall Interviews Used to Steal Crypto Wallets

Listen to this Post

A Sophisticated Social Engineering Attack on Job Seekers

A recent cybercrime campaign has targeted job seekers in the Web3 space through a malicious fake interview scheme. Hackers disguised as recruiters conducted fraudulent job interviews using a deceptive meeting software called “GrassCall.” Once installed, this application deployed information-stealing malware, compromising users’ cryptocurrency wallets.

Victims of the scam, numbering in the hundreds, reported losing access to their digital assets as their wallets were drained. Affected users have since formed a Telegram group to assist one another in removing the malware from their Windows and Mac devices.

The perpetrators of this attack belong to a Russian-speaking cybercriminal group known as Crazy Evil, specifically a subgroup called KEVLAND. They specialize in social engineering attacks, primarily targeting individuals in the cryptocurrency and blockchain industry.

To execute the scam, the hackers created a fake company called ChainSeeker.io with a professional-looking website and social media presence. They posted premium job listings on LinkedIn, WellFound, and CryptoJobsList, attracting unsuspecting job seekers. Victims were contacted via email and directed to a fraudulent Chief Marketing Officer (CMO) on Telegram, who instructed them to download GrassCall from the website “grasscall[.]net.”

Upon installation, the software deployed malware tailored to the victim’s operating system:
– Windows devices: A remote access trojan (RAT) and the Rhadamanthys information-stealer were installed.
– Mac devices: The Atomic Stealer (AMOS) malware was deployed, targeting passwords stored in Apple Keychain and browser authentication cookies.

Stolen credentials were uploaded to the hackers’ servers and shared in Telegram channels linked to the cybercriminal group. If a crypto wallet was detected, the attackers attempted to brute-force passwords, drain funds, and distribute earnings among their members. Some criminals involved in the operation reportedly made six-figure sums from these attacks.

In response to the scam, CryptoJobsList removed the fraudulent job postings and issued warnings to those who had applied. The GrassCall website has since been taken down, but those affected are strongly advised to change all passwords, revoke authentication tokens, and secure their cryptocurrency wallets immediately.

What Undercode Says:

This attack highlights the increasingly sophisticated nature of social engineering threats in the cryptocurrency and Web3 industries. Unlike traditional phishing scams, which rely on fake emails or messages, this campaign leveraged an entire fake company, professional job listings, and social media credibility to deceive victims.

Key Takeaways from the GrassCall Scam:

1. Targeted Attack on Web3 Professionals

  • This was not a random attack; the hackers specifically targeted individuals working in blockchain and cryptocurrency, fields that require digital wallets and financial transactions.
  • By offering legitimate-sounding job opportunities, they exploited the aspirations of professionals looking for career growth in the industry.

2. The Role of Social Engineering

  • The attackers created a believable fake company, ChainSeeker.io, complete with a website, LinkedIn, and social media presence.
  • They invested in premium job listings to appear credible, ensuring their posts would reach more serious job seekers.
  • Using Telegram as a communication channel, they avoided detection on mainstream hiring platforms and pushed victims to download malicious software.

3. Highly Targeted Malware Deployment

  • The malware wasn’t just generic spyware—it was tailored to extract cryptocurrency wallets, authentication cookies, and stored passwords.
  • By distributing different payloads for Windows and Mac users, the attackers ensured maximum efficiency in stealing sensitive data.

4. Monetization and Profit Sharing Among Cybercriminals

  • The stolen data was quickly processed and monetized, with credentials being used to drain wallets and accounts.

– The

  • Some members reportedly made tens or hundreds of thousands of dollars per successful breach.

Lessons for Web3 Job Seekers and Security Experts:

🔹 Verify Job Listings and Companies

  • Before applying, research the company on multiple platforms. Legitimate companies will have a track record, reviews, and employee testimonials.
  • Be cautious of job offers that require external communication through Telegram or unverified platforms.

🔹 Avoid Downloading Unverified Software

  • If an employer asks you to download unfamiliar software for an interview, research it thoroughly before proceeding.
  • Use tools like VirusTotal to scan downloaded files before running them.

🔹 Use Strong Security Practices

– Enable two-factor authentication (2FA) on all accounts.

  • Use a hardware wallet instead of software wallets when possible.
  • Regularly revoke access to third-party apps that have permissions on your accounts.

🔹 Stay Informed on Emerging Cyber Threats

  • Hackers continuously evolve their tactics—keeping up with security news and threat intelligence can help avoid falling for sophisticated scams.
  • Follow cybersecurity researchers and organizations that track crypto-related cyber threats.

Final Thought:

This incident is a wake-up call for the Web3 community. As blockchain adoption grows, so does the sophistication of cyberattacks. Hackers are no longer just targeting centralized exchanges; they are now infiltrating the job-seeking process itself.

The best defense against such scams is education, skepticism, and robust cybersecurity practices. Always double-check company legitimacy, avoid direct downloads, and secure your digital assets proactively.

References:

Reported By: https://www.bleepingcomputer.com/news/security/grasscall-malware-campaign-drains-crypto-wallets-via-fake-job-interviews/
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image