The social attack campaign targeting cryptocurrency users through fake startup companies is complex and sophisticated.
The criminal group uses legitimate platforms like Notion, GitHub combined with fake social media accounts to create a reputable company image, thereby defrauding employees and users in the global Web3 ecosystem.
MAIN CONTENT
Criminals creating fake startup companies use legitimate platforms to increase credibility and defraud cryptocurrency users.
Malware attacking Windows and macOS targets cryptocurrency wallet data with stealth and high authentication techniques.
Many fake companies operate simultaneously, closely linked to create an international scale fraud network.
How does the fraud campaign through fake startup companies occur?
Criminal groups build fake startup companies in AI, gaming, Web3 sectors, through hijacked verified social media accounts. They use reputable platforms like Notion, GitHub to create professional company profiles including blogs, product roadmaps, and personnel profiles.
Using social media accounts with a large follower count helps enhance credibility and attract victims, thus sending phishing messages on X, Telegram, Discord requesting cryptocurrency payments for software trials.
The campaign shows sophistication and careful investment in creating a reputable company image to increase the success rate of the fraud.
Dan Schiappa, Cybersecurity Director at Darktrace, 2025
The importance of using legitimate platforms in fraud
Fake documents and websites stored on Notion, Medium, GitHub enhance the feeling of reality and professionalism. For example, repositories on GitHub exploit stolen open-source code, renaming it to create a false distinction.
Edited conference images through Eternal Decay help bolster evidence for fake product presentations, making victims more easily deceived.
How does malware attack cryptocurrency wallet users on Windows and macOS?
Malware on Windows in the form of an Electron application requires a registration code provided by a fake employee. Before activation, CloudFlare verification screens are used to avoid detection.
On macOS, malware is released as a DMG file containing a bash script with high encryption techniques like base64 and XOR, automatically launching and checking the emulation environment to evade analysis.
Malware is designed to deeply collect system information and wallet data while maintaining long-lasting persistence on the victim's device.
Darktrace security research team, 2025
Both malware versions target cryptocurrency wallet data, accessing browser data, cookies, and personal documents, compressing and sending information to a secret command server.
What fake companies have been identified in this campaign?
Darktrace detected many fake companies operating simultaneously like Pollens AI, Buzzu, Cloudsign, Swox, KlastAI, Wasper, Lunelior, BeeSync, Slax, Solune, Eternal Decay and many other brands with tight network connections.
The CrazyEvil attack group has been behind many campaigns since 2021, with estimated revenues in the millions of USD from fraudulent activities targeting cryptocurrency users, influencers, and DeFi experts.
Fake Company | Fake Sector | Platforms Used | Key Features Pollens AI | Creative collaboration tool | X, Medium, Notion, GitHub | Verified X account, copied and edited source code Swox | Web3 social network | X, multiple Websites | Shared branding with Dexis, targeting DeFi Eternal Decay | Blockchain game | Website, conference document simulation | Uses fake conference images, increases credibility
Frequently Asked Questions
When did the fake startup company campaign take place?
It was noted to have started in December 2024 and is still ongoing globally.What characteristics does malware attacking cryptocurrency wallets on macOS have?
Distributed via DMG containing an encrypted bash script, automatically launching and checking the virtual environment to avoid detection.How do fake companies establish a trustworthy image?
Leveraging mainstream platforms, editing images, copying source code, and using verified social media accounts.Which group is behind this campaign?
The CrazyEvil group has been active since 2021, generating millions of USD in revenue from malicious activities.How to protect yourself from these tricks?
Users need to be cautious of invitations from unclear accounts, verify the origin of the company, and not provide codes or download software from untrusted sources.
Source: https://tintucbitcoin.com/lua-dao-social-engineering-nguoi-dung-crypto/
Thank you for reading this article!
Please Like, Comment, and Follow TinTucBitcoin to stay updated on the latest news about the cryptocurrency market and not miss any important information!
