Hacking group Crazy Evil created a fake Web3 company dubbed “ChainSeeker.io” to trick crypto industry job seekers into downloading wallet-draining malware.
The group set up LinkedIn and X profiles advertising standard crypto industry jobs, like “Blockchain Analyst” or “Social Media Manager,” according to cybersecurity website Bleeping Computer.
The Russian-speaking group, known as Crazy Evil, also took out premium advertisements on websites like LinkedIn, WellFound, and CryptoJobsList to boost their ads’ visibility. Applicants would then receive an email from the fake company’s “chief human resources officer,” who would invite them to contact the fake “chief marketing officer” (CMO) on Telegram.
The purported CMO would then nudge them to download and install a virtual meeting software known as GrassCall and enter a code provided by the CMO. GrassCall would then install a variety of information-stealing malware or remote access trojans (RATs), which would search for crypto wallets, passwords, Apple Keychain data, and authentication cookies stored in web browsers.
The campaign is no longer running at the time of writing, and most advertisements appear to have been removed from social media, according to Bleeping Computer.
Cristian Ghita, a freelance UX developer who claimed to have been impacted by the scam, said, “It looked legit from almost all angles” in a LinkedIn post.
He added: “Even the video-conferencing tool had an almost believable online presence.”
Some of those impacted by the scam have come together to make a support group for victims on Telegram.
According to a report put together last year by Recorded Future, this isn’t the first social engineering attack targeting the crypto industry by Crazy Evil. Recorded Future found ten separate social engineering scams conducted by the group on social media, many of which were squarely aimed at people working in the DeFi industry.
The report pegs the group’s lifetime revenue at over $5 million and believes it has been recruiting on Russian-language message boards since 2021. Outside of fake job ads, there are plenty of other targeted scams that crypto industry professionals need to be aware of.
Last year, a sophisticated social engineering scam saw hackers use fake Zoom links to install crypto-stealing malware, using similar tactics to Crazy Evil’s latest phishing campaign.
And in January, research firm SentinelLabs showed how the North Korea-linked group BlueNoroff used email updates on DeFi trends and bitcoin prices to trick users into downloading malware disguised as PDF reports.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Source: https://decrypt.co/308027/crazy-evil-hackers-create-fake-web3-firm-drain-job-seekers-crypto-wallets
