Advertisement
Fake AI Startups Hijack Crypto Wallets in Sophisticated Social Engineering Blitz
- Fake AI and Web3 startups are tricking crypto users into downloading malware through sleek websites, hijacked X accounts, and phoney employee outreach.
- Dozens of fake brands, like “Swox” and “Eternal Decay,” were identified, many using altered media and copied code.
- The campaign closely mirrors tactics used by traffer group CrazyEvil, known for targeting crypto and DeFi communities.
A widespread cybercrime campaign is deceiving users into installing malicious software disguised as products from fake AI and Web3 startups, according to new findings by Darktrace. These elaborate scams are orchestrated by threat actors who set up bogus companies with seemingly legitimate digital footprints – complete with websites, whitepapers, and verified X (formerly Twitter) accounts – to build trust and to trick users.
Victims are typically contacted via X, Telegram, or Discord by individuals posing as employees of these fake startups. They are asked to “test” early versions of the software in exchange for cryptocurrency, leading them to download infected files through the fake company’s website using a registration code.
Related: US Secret Service Becomes Major Crypto Custodian After US$400M Seizure
Inside the Malware Mechanics
Once downloaded, the Windows version launches a Cloudflare-style verification prompt before quietly executing an MSI installer, which proceeds to extract detailed system information and deploy an information-stealing malware. These apps are often signed using stolen certificates from real companies, such as Jiangyin Fengyuan Electronics and Paperbucketmdb ApS.
On macOS, the fake DMG file installs a version of Atomic Stealer, which scans for browser data, cookies, documents, and crypto wallet credentials. The stolen data is compressed and sent to a remote server. Persistence mechanisms are also established via macOS Launch Agents, ensuring the malware relaunches at system login.
Darktrace identified numerous fake brands involved, including “Pollens AI”, “Swox”, “Wasper”, “Lunelior”, and “Eternal Decay” – the latter having posted fake conference photos and gameplay content stolen from unrelated games.
Although attribution remains uncertain, the tactics resemble those of known traffer group CrazyEvil, a cybercriminal ring previously documented to have made millions through similar social engineering and malware schemes targeting crypto users and DeFi professionals. A traffer is a type of cybercriminal who specialises in driving traffic to malware-laced downloads that steal user data.
By mimicking legitimate business structures and hijacking trusted social platforms, these attackers have created a highly effective and ongoing method of stealing cryptocurrency across both Windows and Mac systems.
Related: Coinbase’s Conor Grogan Flags $8.6B ‘Sleeping’ Bitcoin Wake-Up as Potential Historic Hack
Advertisement
Author
Rachel Lourdesamy
Rachel is a freelance writer based in Sydney with experience within financial services, marketing, and corporate communications in the APAC region. An avid reader and a graduate of the University of Sydney, she covers topics including business, finance and human interest.
