Fake startups target crypto users, infiltrating their wallets

Darktrace research reveals ongoing social engineering campaign targeting crypto users through fake startup companies. Scammers impersonate AI, gaming, and Web3 firms using spoofed social media accounts.

Project documentation gets hosted on legitimate platforms like Notion and GitHub. The campaign continues changing since December 2024 targeting Web3 employees globally.

Fake companies use legitimate platforms to build credible presence

Threat actors create fake startup companies with AI, gaming, video meeting software themes. Web3 and social media company facades help target cryptocurrency users specifically. These operations use compromised X accounts typically with verification to contact victims.

The attackers use legitimate platforms including Notion, Medium, and GitHub for documentation. Professional-looking websites include employee profiles, product blogs, whitepapers, and development roadmaps. X accounts appear compromised with higher follower counts adding to the appearance of legitimacy.

The scammers remain active on social media accounts posting software development updates. Product marketing content gets shared regularly while campaigns operate across platforms. Eternal Decay blockchain game created fake conference presentation photos for credibility.

The attackers even altered Italian exhibition photos making them appear as company presentations. Medium hosts blog posts about fake software products and company developments. Notion contains detailed product roadmaps and comprehensive employee listing information.

Scammers altering photo from Italian exhibition: Source

GitHub repositories feature technical software aspects using stolen open-source projects. Code names get changed to make repositories appear unique and original. Company registration information from Companies House gets linked to similar-named companies.

Gitbook details company information and lists fake investor partnerships for credibility. Gameplay images stolen from Zombie Within game appear as Eternal Decay content. Some fake companies establish merchandise stores to complete business facades.

These combined elements create convincing startup company appearances increasing infection success rates. Victims receive contact through X messages, Telegram, or Discord from employees. Fake workers offer cryptocurrency payments for software testing participation.

Malware targeting both Windows and macOS crypto wallet users

Windows versions are distributed via Electron apps that demand registration codes from impersonated employees. Bins are downloaded by users after codes are entered given via social media messaging. CloudFlare verification screens are presented prior to malware execution on target systems.

The malware gathers system profiles in username, CPU details, RAM, and graphics. MAC addresses and system UUIDs are gathered in preliminary reconnaissance phases. Token-based authentication mechanisms use tokens which are derived from application launcher URLs.

Stolen code signing certificates increase software legitimacy and evade security detection. Companies like Jiangyin Fengyuan Electronics Co. and Paperbucketmdb ApS certificates were used. Python gets retrieved and stored in temporary directories for command execution.

macOS distributions are released as DMG files containing bash scripts and binaries. Scripts use obfuscation techniques like base64 encoding and XOR encryption. AppleScript mounts malware and runs executables from temporary directories automatically.

The macOS malware performs anti-analysis checks for QEMU, VMWare, and Docker environments. Atomic Stealer targets browser data, crypto wallets, cookies, and document files. Stolen data gets compressed and sent via POST requests to servers.

Additional bash scripts establish persistence through Launch Agent configurations at login. The malware logs active application usage and window information continuously. User interaction timestamps get recorded and transmitted to collection servers periodically.

Both versions target cryptocurrency wallet data specifically for theft operations. Multiple fake companies distribute identical malware with different branding and themes.

Extensive list of fake companies identified across multiple platforms

Darktrace revealed several phony companies running through this social engineering campaign. Pollens AI impersonates collaborative creation tools using X accounts and other websites. Buzzu employs the same logos and code as Pollens but runs under different branding.

Cloudsign is reported to provide document signing platform services to business consumers. Swox is a Web3 space next-generation social network. KlastAI is closely linked to Pollens accounts and sites bearing the same branding.

Wasper uses the same logos and GitHub code as Pollens across various areas. Lunelior operates through various websites serving various groups of users in specific. BeeSync previously operated as Buzzu alias before its rebranding in January 2025.

Slax hosts social media and AI-centric sites on multiple websites. Solune reaches users through social media platform activity and messaging app usage. Eternal Decay is a blockchain gaming firm with synthetic conference presentations.

Dexis is branded the same as Swox and shared the same user base. NexVoo has multiple domains and social media platform management. NexLoop rebranded to NexoraCore by renaming GitHub repositories.

YondaAI targets social media site users and various website domain users. Every business has professional fronts through real platform integration procedures. The CrazyEvil traffer group has been operating such campaigns since 2021.

Recorded Future approximates CrazyEvil’s millions of revenue from malicious activities. The group is said to be behind attacks on crypto users, influencers, and DeFi professionals. The campaigns show extensive efforts in making legitimate business appearances.

Source