Known for their Russian heritage and proficiency in cybercrime, Crazy Evil has deftly executed a social engineering ploy aimed specifically at job seekers within the cryptocurrency and Web3 industries. The insights come from a recent report released by BleepingComputer.
Amidst tough economic conditions, cryptocurrency asset scams have emerged as another hurdle for Web3 job aspirants, stripping them of their crypto reserves.
A subgroup of the gang, operating under the alias 'KEVLAND', is suspected of orchestrating a sham website dubbed ‘ChainSeeker.io’, leveraging it to post alluring Web3 job vacancies across high-profile platforms like LinkedIn, WellFound, and CryptoJobsList.
Brutal!
Candidates were persuaded to connect via emails that led them to converse with a fictitious ‘Chief Marketing Officer’ on Telegram. This faux executive then manipulated them into downloading a counterfeit video conferencing app called ‘GrassCall’ hosted on the perilous site grass[.]net.
Source: Choy
As soon as 'GrassCall' was installed, it unleashed a dual-layer malware attack, targeting victims based on their operating system. Windows users faced the wrath of Rhadamanthys RAT and info-stealing malware, enabling cyber thieves to infiltrate and siphon data.
Meanwhile, those using macOS fell prey to the Atomic (AMOS) Stealer, a potent malware crafted to wreak havoc on their systems.
The malicious software was after private details, pilfering passwords, authentication cookies, crypto wallets, Apple keychain info, and files laden with sensitive credentials. The stolen treasure trove of data was then whisked away to the offender's servers and quickly circulated in their Telegram rings.
When crypto wallets were uncovered, hackers attempted brute-force password breaches to extract funds, rewarding members who successfully planted malware on a victim's device.
Well Orchestrated Scheme
Investigators discovered that the 'GrassCall' website was a mere replica of the 'Gatherum' site, and malicious actors even assumed the identities of real individuals to create a facade of legitimacy for the phantom leadership of ChainSeeker.io. Most job listings have been scrubbed from recruitment sites, save for one still lingering on LinkedIn.
“Their deception was incredibly well-orchestrated,” commented Cristian Ghita, a LinkedIn applicant. “They had an entire setup, from a convincing website to LinkedIn and X profiles, not to mention employees who seemed authentic.”
The breadth of this cyber campaign is unfolding, with numerous victims sharing near-identical tales on social media, many lamenting substantial financial damages as their cryptocurrency holdings were drained.
Security specialists are calling for quick action from victims: changing passwords from uncompromised devices and moving digital currencies to newly established, secured wallets.
Preemptive warnings issued by threat trackers at Recorded Future spotlighted crypto, NFT, and gaming industry professionals as prime prey for such attacks.
The shadowy ensemble Crazy Evil has gained notoriety for its predatory tactics on cryptocurrency and Web3 sectors, employing advanced social engineering schemes and malware deployment. Beyond 'KEVLAND', their operation includes other factions such as ‘AVLAND’, ‘TYPED’, ‘DELAND’, ‘ZOOMLAND’, and ‘DEF’.
Their criminal expertise extends into identity theft, cryptocurrency robbery, and the dispersal of data-pilfering malware, often singling out high-value individuals like tech, gaming, and crypto-sector influencers.
Sadly It Works….
Crazy Evil’s arsenal of malware includes StealC, the Atomic macOS Stealer (AMOS), and Angel Drainer, aimed to compromise both Windows and macOS ecosystems.
Since 2021, Recorded Future has chronicled over ten of their active scam operations on social platforms, often baiting victims into unwittingly installing destructive software.
The landscape of employment scams targeting crypto job seekers is vast, with warnings issued by the FBI to beware of offers requiring upfront cryptocurrency transactions under the guise of job opportunities.
Fraudsters plant job ads with eye-catching salary offers in exchange for seemingly simple assignments, compelling victims into cryptocurrency transactions with the ruse of straightforward tasks, which may conceal intricate money laundering schemes.
Federal authorities urge vigilance against unsolicited job offers, cautioning against crypto payments to employers, and recommend alerting authorities to any suspicious activities.
