Beware: Fake AI and Web3 Startups Lure Crypto Users with Malware Scams

• Fake AI and Web3 startups are tricking crypto users into downloading malware through sleek websites, hijacked X accounts, and phoney employee outreach.
• Dozens of fake brands, like Swox and Eternal Decay, were identified, many using altered media and copied code.
• The campaign closely mirrors tactics used by traffer group CrazyEvil, known for targeting crypto and DeFi communities.

A widespread cybercrime campaign is deceiving users into installing malicious software disguised as products from fake AI and Web3 startups, according to new findings by Darktrace. These elaborate scams are orchestrated by threat actors who set up bogus companies with seemingly legitimate digital footprints complete with websites, whitepapers, and verified X (formerly Twitter) accounts to build trust and to trick users.

Victims are typically contacted via X, Telegram, or Discord by individuals posing as employees of these fake startups. They are asked to test early versions of the software in exchange for cryptocurrency, leading them to download infected files through the fake companys website using a registration code.

Related: US Secret Service Becomes Major Crypto Custodian After US$400M Seizure

Once downloaded, the Windows version launches a Cloudflare-style verification prompt before quietly executing an MSI installer, which proceeds to extract detailed system information and deploy an information-stealing malware. These apps are often signed using stolen certificates from real companies, such as Jiangyin Fengyuan Electronics and Paperbucketmdb ApS.

Advertisement

On macOS, the fake DMG file installs a version of Atomic Stealer, which scans for browser data, cookies, documents, and crypto wallet credentials. The stolen data is compressed and sent to a remote server. Persistence mechanisms are also established via macOS Launch Agents, ensuring the malware relaunches at system login.

Darktrace identified numerous fake brands involved, including Pollens AI, Swox, Wasper, Lunelior, and Eternal Decay the latter having posted fake conference photos and gameplay content stolen from unrelated games.

Although attribution remains uncertain, the tactics resemble those of known traffer group CrazyEvil, a cybercriminal ring previously documented to have made millions through similar social engineering and malware schemes targeting crypto users and DeFi professionals. A traffer is a type of cybercriminal who specialises in driving traffic to malware-laced downloads that steal user data.

By mimicking legitimate business structures and hijacking trusted social platforms, these attackers have created a highly effective and ongoing method of stealing cryptocurrency across both Windows and Mac systems.

Related: Coinbases Conor Grogan Flags $8.6B Sleeping Bitcoin Wake-Up as Potential Historic Hack

Advertisement