Cryptocurrency users are being targeted by threat actors employing elaborate social engineering schemes to steal digital assets. These schemes involve the use of fake startup companies that impersonate AI, gaming, and Web3 firms. The attackers create spoofed social media accounts and project documentation, which are hosted on legitimate platforms like Notion and GitHub, to lure victims.

These malicious operations trick users into downloading malware capable of draining digital assets from both Windows and macOS systems. The threat actors often approach potential targets on messaging apps like Telegram, enticing them with investment opportunities. In one instance, a well-known investor at a crypto VC firm fell victim to a phishing attack that wiped out a substantial portion of their personal savings. The scam unfolded through a fake Zoom call, where the victim was prompted to install an "audio fix" update, which turned out to be malware. Within minutes, the hackers accessed the victim's system and drained six crypto wallets.

This social engineering campaign has been active for some time, with a previous iteration in December 2024 using bogus videoconferencing platforms. That campaign, codenamed Meeten by Cado Security, involved infecting users with stealer malware such as Realst after they downloaded the fake meeting software. The latest findings indicate that the campaign remains an active threat and has expanded to include themes related to artificial intelligence, gaming, Web3, and social media.

The attackers have also been observed leveraging compromised X accounts associated with companies and employees, particularly those that are verified, to give their fake companies an illusion of legitimacy. They utilize platforms frequently used by software companies, such as X, Medium, GitHub, and Notion, to create professional-looking websites with employee profiles, product blogs, whitepapers, and roadmaps.

Cybersecurity experts warn that as the cryptocurrency industry matures, sophisticated cyber threats targeting insiders are becoming more common. In addition to the fake company schemes, other recent incidents include scammers sending fake Ledger-branded letters via USPS to trick users into scanning phishing QR codes. In another case, $330 million worth of BTC was stolen from an elderly victim using a similar phishing approach.

Researchers have noted similarities between these campaigns and the techniques used by the North Korean Lazarus Group. These campaigns highlight the efforts that threat actors will undertake to make their fake companies appear legitimate in order to steal cryptocurrency from victims, including the use of newer, more evasive versions of malware.