Sophisticated Social Engineering Campaign Targets Crypto Users with Fake AI and Gaming Startups

Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord

Cryptocurrency users are the target of an ongoing social engineering campaign that employs fake startup companies to trick users into downloading malware that can drain digital assets from both Windows and macOS systems. "These malicious operations impersonate AI, gaming, and Web3 firms using spoofed social media accounts and project documentation hosted on legitimate platforms like Notion and GitHub," Darktrace researcher Tara Gould said in a report shared with The Hacker News. The elaborate social media scam has been for sometime now, with a previous iteration in December 2024 leveraging bogus videoconferencing platforms to dupe victims into joining a meeting under the pretext of discussing an investment opportunity after approaching them on messaging apps like Telegram. Users who ended up downloading the purported meeting software were stealthily infected by stealer malware such as Realst. The campaign was codenamed Meeten by Cado Security (which was acquired by Darktrace earlier this year) in reference to one of the phony videoconferencing services. That said, there are indications that the activity may have been ongoing since at least March 2024, when Jamf Threat Labs disclosed the use of a domain named "meethub[.]gg" to deliver Realst. The latest findings from Darktrace show that the campaign not only still remains an active threat, but has also adopted a broader range of themes related to artificial intelligence, gaming, Web3, and social media. Furthermore, the attackers have been observed leveraging compromised X accounts associated with companies and employees, primarily those that are verified, to approach prospective targets and give their fake companies an illusion of legitimacy. "They make use of sites that are used frequently with software companies such as X, Medium, GitHub, and Notion," Gould said. "Each company has a professional looking website that includes employees, product blogs, whitepapers and roadmaps." One such non-existent company is Eternal Decay (@metaversedecay), which claims to be a blockchain-powered game and has shared digitally altered versions of legitimate pictures on X to give the impression that they are presenting at various conferences. The end goal is to build an online presence that makes these firms appear as real as possible and increases the likelihood of infection. Some of the other identified companies are listed below - The attack chains begin when one of these adversary-controlled accounts messages a victim through X, Telegram, or Discord, urging them to test out their software in exchange for a cryptocurrency payment. Should the target agree to the test, they are redirected to a fictitious website from where they are promoted to enter a registration code provided by the employee to download either a Windows Electron application or an Apple disk image (DMG) file, depending on the operating system used. On Windows systems, opening the malicious application displays a Cloudflare verification screen to the victim while it covertly profiles the machine and proceeds to download and execute an MSI installer. Although the exact nature of the payload is unclear, it's believed that an information stealer is run at this stage. The macOS version of the attack, on the other hand, leads to the deployment of the Atomic macOS Stealer (AMOS), a known infostealer malware that can siphon documents as well as data from web browsers and crypto wallets, and exfiltrate the details to external server. The DMG binary is also equipped to fetch a shell script that's responsible for setting up persistence on the system using a Launch Agent to ensure that the app starts automatically upon user login. The script also retrieves and runs an Objective-C/Swift binary that logs application usage and user interaction timestamps, and transmits them to a remote server. Darktrace also noted that the campaign shares tactical similarities with those orchestrated by a traffers group called Crazy Evil that's known to dupe victims into installing malware such as StealC, AMOS, and Angel Drainer. "While it is unclear if the campaigns [...] can be attributed to CrazyEvil or any sub teams, the techniques described are similar in nature," Gould said. "This campaign highlights the efforts that threat actors will go to make these fake companies look legitimate in order to steal cryptocurrency from victims, in addition to the use of newer evasive versions of malware."

Threat actors using 'elaborate social engineering scheme' to target crypto users -- Report

Social engineering scams, from the Meeten campaign to fake crypto support scams, have become a troubling occurrence in crypto. Threat actors are using an elaborate social engineering scheme to target crypto users and drain their wallets, according to a Thursday report from cybersecurity company Darktrace. The company wrote that the techniques are similar to those used by "Traffer Groups," which use malware to steal credentials and data. The social engineering scheme involves gaining the trust of users by posing as representatives from fake startup companies in the industries of AI, gaming, Web3 and social media. Compromised X accounts are often involved, and the threat actors supplement the fraud with Medium articles and GitHub entries. "Each campaign typically starts with a victim being contacted through X messages, Telegram or Discord," the report reads. "A fake employee of the company will contact a victim asking to test out their software in exchange for a cryptocurrency payment." After the user downloads the software, a Cloudflare verification bubble pops up that begins to extract information about the computer. At a certain point, credentials from cryptocurrency wallets are stolen. Windows and Mac users are known to have been targeted, according to the report. The scheme may be similar to the December 2024 attacks involved in the Meeten campaign. There have been other social engineering attacks targeting cryptocurrency users, including those allegedly orchestrated by certain groups associated with North Korea. Related: 10 red flags a crypto platform is a scam -- and how to protect your money Crypto scams, frauds, and thefts are rife in the industry, with names like the "pig butchering" scams and "four-dollar wrench attacks." In some cases, they've become more sophisticated, relying on social engineering, hacked X accounts, and insider fraud. On July 7, Chinese authorities warned citizens about illegal fundraising schemes that, in part, were built around crypto's "killer" use case: stablecoins. Allegedly, the organizations are often fronts for money laundering and online gambling, and the groups take advantage of the public's limited knowledge of certain aspects of crypto. Cointelegraph has written about the crypto scams to watch out for in 2025. They include malicious browser plugins that purport to be for security, tampered hardware wallets, and social engineering through a fake revoker website. On July 8, the US Department of Justice unsealed an indictment against two men for allegedly running a scheme that defrauded investors of over $650 million. Another scheme has been the fake crypto support scam, which uses psychological tactics to complete the fraud.