Crypto Job Seekers Duped, Wallets Drained

A recent social engineering campaign targeted job seekers in the Web3 space through a deceptive "GrassCall" meeting app, which installed malware designed to steal cryptocurrency wallets.

This cybercrime group, known as Crazy Evil, used fake job opportunities to lure individuals into downloading malicious software on both Windows and Mac devices.

The group created a bogus Web3 company, "ChainSeeker.io," and promoted fake job listings, such as "Blockchain Analyst" and "Social Media Manager," on platforms like LinkedIn and X (formerly known as Twitter).

Hundreds of victims have reported wallet thefts following the attacks.

Cristian Ghita, a freelance UX developer who was reportedly affected by the scam, shared his experience in a LinkedIn post, expressing that the opportunity appeared genuine at first glance.

He added:

Even the video-conferencing tool had an almost believable online presence.”

Although the campaign has since been shut down and most social media ads have been removed, many impacted individuals have turned to a dedicated Telegram group for support in removing the malware.

Cybersecurity experts warn of the increasing sophistication of such attacks within the crypto community.

How Crazy Evil Operated The Social Engineering Attack on Crypto Job Applicants

Users were deceived into installing malicious software designed to steal sensitive information, including passwords, authentication cookies, and cryptocurrency wallets.

In a conversation with Choy, a Web3 professional targeted by the attack, it was revealed that the cybercriminals crafted a convincing online persona, complete with a fake website and social media profiles on X and LinkedIn under the name "ChainSeeker.io."

The Russian-speaking group further amplified their scam by purchasing premium ads on platforms such as LinkedIn, WellFound, and CryptoJobsList to increase visibility.

CryptoJobsList’s Promotion of ChainSeeker Jobs

Applicants, after engaging with the fake company, would receive an email from a supposed “chief human resources officer,” directing them to connect with the fabricated “chief marketing officer” on Telegram.

Fake ChainSeeker company’s interview invitation

This individual would then prompt them to download a virtual meeting software called GrassCall and input a code.

Once installed, GrassCall injected various forms of information-stealing malware and remote access trojans (RATs) onto the victim’s device, which then sought out crypto wallets, passwords, Apple Keychain data, and browser authentication cookies.

The software, which was hosted on "grasscall[.]net," was tailored to either Windows or Mac devices depending on the user’s browser configuration.

Telegram conversation with fake ChainSeeker CMO

Cybersecurity researcher g0njxa, who has been tracking these threat actors, revealed that the GrassCall website is a near-identical replica of a "Gatherum" website previously used in another campaign.

According to g0njxa, these cloned sites are part of social engineering attacks orchestrated by a subgroup of the Crazy Evil hacker group known as "kevland," a group also detailed in a report by Recorded Future.

A Recorded Future report on the Crazy Evil cybercriminals explained:

"Gatherum is a self-proclaimed AI-enhanced virtual meeting software that is primarily advertised on social media (@GatherumAI) and an AI-generated Medium blog (medium[.]com/@GatherumApp). Traffers assigned to Gatherum are provided with a manual for working the scam. Gatherum is managed by Crazy Evil subteam KEVLAND, tracked internally by Insikt Group as CE-6."

In response to the attack, CryptoJobsList promptly removed the fraudulent job listings and issued a warning to applicants, advising them to scan their devices for malware.

However, g0njxa reports that the attackers have already shifted focus to a new campaign dubbed "VibeCall," continuing to utilize the same website template as GrassCall.

This shift highlights the evolving nature of the attackers' methods as they adapt to circumvent defenses.