Crazy Evil, a Russian-speaking cybercrime group, has executed a sophisticated social engineering attack targeting hundreds of job seekers in the cryptocurrency and Web3 space, according to a new report from BleepingComputer.
Web3 job seekers have lost their crypto assets in a new wallet-draining scam. In a hard economy, scams are normal.
One of their subgroups, known as “KEVLAND,” reportedly built a fake website called “ChainSeeker.io” and used this fake identity to post premium Web3 job listings on major platforms like LinkedIn, WellFound, and CryptoJobsList.
Brutal!
Following their applications, victims received emails directing them to a fake “Chief Marketing Officer” on Telegram. This “CMO” then instructed them to download a phony video meeting application called “GrassCall” from the malicious website grass[.]net.
Source: Choy
Upon downloading, the “GrassCall” app initiated a dual-pronged malware attack, tailored to the victim’s operating system. Windows users were infected with Rhadamanthys RAT and infostealers, granting attackers remote access and data exfiltration capabilities.
Mac users were targeted with the Atomic (AMOS) Stealer, a potent malware designed to compromise macOS systems.
The installed malware stole private information, including passwords, authentication cookies, cryptocurrency wallets, Apple keychain data, and files that store passwords. After that, the stolen data was uploaded to the attackers’ servers and shared within their Telegram channels.
If cryptocurrency wallets were found, the attackers attempted to brute-force passwords and drain the funds. The group would then pay members that successfully got the malware installed on the victim’s machine.
Well Orchestrated Scheme
Investigators found the “GrassCall” website was not original, but a clone of the “Gatherum” site. Moreover, the attackers impersonated real people for ChainSeeker.io’s nonexistent leadership. The job listings have been removed from job boards, except for one that is still active on LinkedIn.
“This scam was extremely well-orchestrated,” said Cristian Ghita, a LinkedIn user who applied to the company. “They had a website, LinkedIn and X profiles, and employees listed.”
The scale of the operation is becoming increasingly apparent, with dozens of victims recounting similar experiences on social media. Many have reported huge financial losses as their cryptocurrency holdings were drained.
Security experts are urging victims to take immediate action, including changing passwords on an uninfected device and transferring cryptocurrency to new, secure wallets.
Recorded Future, a threat intelligence firm, had previously warned that crypto, NFT, and gaming professionals were “prime targets” for this type of attack.
Crazy Evil has been known for targeting the cryptocurrency and Web3 ecosystems through sophisticated social engineering tactics and malware distribution. Apart from “KEVLAND,” the group operates other fine subteams, known as “AVLAND,” “TYPED,” “DELAND,” “ZOOMLAND,” and “DEF.”
The group specializes in identity fraud, cryptocurrency theft, and deploying information-stealing malware. They target high-value victims, including tech, gaming, and crypto influencers.
Sadly It Works….
Crazy Evil employs a range of malware tools, such as StealC, Atomic macOS Stealer (AMOS), and Angel Drainer, to compromise both Windows and macOS systems.
According to Recorded Future, the group has conducted over 10 active scams on social media since 2021. Their common tactic is to lure their targets to install malware, like the most recent one.
There have been numerous other cryptocurrency job scams targeting those who are on a job hunt. The FBI has warned against cryptocurrency job scams, including those involving fake job offers that require victims to make cryptocurrency payments.
Scammers post job ads offering unusually high pay for simple tasks, often requiring victims to accept payment in cryptocurrencies like Bitcoin or Ethereum. These jobs may involve tasks that seem legitimate but are indeed part of a money laundering scheme.
The federal authorities have advised individuals to be cautious of unsolicited job offers, avoid making cryptocurrency payments to employers, and report suspicious activities to the agency.
