Darktrace warns of social engineering scams deploying crypto-stealing malware

Researchers at cybersecurity company Darktrace have warned that threat actors are using increasingly sophisticated social engineering tactics to infect victims with crypto-stealing malware.

In its latest blog, Darktrace researchers detailed an elaborate campaign in which scammers were found to be impersonating AI, gaming, and Web3 startups to trick users into downloading malicious software.

The scheme relies on verified and compromised X accounts, as well as project documentation hosted on legitimate platforms, to create an illusion of legitimacy.

According to the report, the campaign usually begins with impersonators reaching out to potential victims on X, Telegram, or Discord. Posing as representatives of emerging startups, they offer incentives such as cryptocurrency payments in exchange for testing software.

Victims are then directed to polished company websites designed to mimic legitimate startups, complete with whitepapers, roadmaps, GitHub entries, and even fake merchandise stores.

Once a target downloads the malicious application, a Cloudflare verification screen appears, during which the malware quietly collects system information such as CPU details, MAC address, and user ID. This information, along with a CAPTCHA token, is sent to the attacker’s server to determine whether the system is a viable target.

If the verification succeeds, a second-stage payload, typically an info-stealer, is stealthily delivered, which then extracts sensitive data, including cryptocurrency wallet credentials.

Both Windows and macOS versions of the malware have been detected, with some Windows variants known to be using code-signing certificates stolen from legitimate companies.

According to Darktrace, the campaign resembles tactics used by “traffer” groups, which are cybercriminal networks that specialize in generating malware installs through deceptive content and social media manipulation.

While the threat actors remain unidentified, researchers believe the methods used are consistent with those seen in campaigns attributed to CrazyEvil, a group known for targeting crypto-related communities.

“CrazyEvil and their sub teams create fake software companies, similar to the ones described in this blog, making use of Twitter and Medium to target victims,” Darktrace wrote, adding that the group is estimated to have made “millions of dollars in revenue from their malicious activity.”

A recurring threat

Similar malware campaigns have been detected on multiple occasions throughout this year, with one North Korea-linked operation found to be using fake Zoom updates to compromise macOS devices at crypto firms.

Attackers were reportedly deploying a new malware strain dubbed “NimDoor,” delivered through a malicious SDK update. The multi-stage payload was designed to extract wallet credentials, browser data, and encrypted Telegram files while maintaining persistence on the system.

In another instance, the infamous North Korean hacking group Lazarus was found to be posing as recruiters to target unsuspecting professionals using a new malware strain called “OtterCookie,” which was deployed during fake interview sessions.

Earlier this year, a separate study by blockchain forensic firm Merkle Science found that social engineering scams were mostly targeting celebrities and tech leaders through hacked X accounts.