Crazy Evil’s Fake Web3 Company Scam

Hacking group Crazy Evil created a fake Web3 company dubbed ChainSeeker.io to deceive job seekers in the crypto industry into downloading wallet-draining malware.

The group set up LinkedIn and X profiles advertising standard crypto industry jobs, such as “Blockchain Analyst” or “Social Media Manager,” according to cybersecurity website Bleeping Computer.

The Russian-speaking group, known as Crazy Evil, took out premium advertisements on sites like LinkedIn, WellFound, and CryptoJobsList to increase their ads’ visibility. Applicants received emails from the fake company’s so-called “chief human resources officer,” inviting them to contact the fake “chief marketing officer (CMO)” on Telegram.

The fake CMO would encourage them to download and install a virtual meeting software called GrassCall and enter a code provided by the CMO. This software would then install various information-stealing malware or remote access trojans (RATs), targeting crypto wallets, passwords, Apple Keychain data, and authentication cookies stored in web browsers.

As of the time of writing, the campaign is no longer active, and most advertisements appear to have been removed from social media, according to Bleeping Computer.

Cristian Ghita, a freelance UX developer who claimed to be affected by the scam, stated, “It looked legit from almost all angles” in a LinkedIn post. He added, “Even the video-conferencing tool had an almost believable online presence.”

Some victims of this scam have formed a support group for others affected on Telegram.

According to a report by Recorded Future, this is not the first social engineering attack targeting the crypto industry by Crazy Evil. The report found ten separate scams conducted by the group on social media, many aimed at individuals working in the DeFi sector.

The report estimates the group’s lifetime revenue at over $5 million and suggests it has been recruiting on Russian-language message boards since 2021. In addition to fake job ads, crypto industry professionals must be aware of other targeted scams.

Last year, a similar social engineering scam used fake Zoom links to install crypto-stealing malware, employing tactics akin to Crazy Evil’s latest phishing efforts.

In January, research group SentinelLabs revealed how the North Korea-linked group BlueNoroff used email updates about DeFi trends and bitcoin prices to trick users into downloading malware disguised as PDF reports.