Darktrace Warns of 40% Rise in Crypto-Stealing Malware Campaigns

Darktrace, a prominent cybersecurity firm, has issued a warning about the escalating use of sophisticated social engineering tactics by threat actors to distribute crypto-stealing malware. The company's researchers detailed an intricate campaign in which scammers impersonate AI, gaming, and Web3 startups to deceive users into downloading malicious software.

The scheme employs verified and compromised accounts on platforms like X, as well as project documentation hosted on legitimate sites, to create an aura of authenticity. The campaign typically begins with impersonators reaching out to potential victims on X, Telegram, or Discord, posing as representatives of emerging startups. They offer incentives such as cryptocurrency payments in exchange for testing software, luring victims to polished company websites that mimic legitimate startups, complete with whitepapers, roadmaps, GitHub entries, and even fake merchandise stores.

Once a target downloads the malicious application, a Cloudflare verification screen appears, during which the malware covertly collects system information such as CPU details, MAC address, and user ID. This information, along with a CAPTCHA token, is sent to the attacker’s server to determine whether the system is a viable target. If the verification succeeds, a second-stage payload, typically an info-stealer, is delivered stealthily, extracting sensitive data, including cryptocurrency wallet credentials.

Both Windows and macOS versions of the malware have been detected, with some Windows variants known to be using code-signing certificates stolen from legitimate companies. Darktrace researchers noted that the campaign resembles tactics used by “traffer” groups, which are cybercriminal networks that specialize in generating malware installs through deceptive content and social media manipulation.

While the threat actors remain unidentified, researchers believe the methods used are consistent with those seen in campaigns attributed to CrazyEvil, a group known for targeting crypto-related communities. “CrazyEvil and their sub teams create fake software companies, similar to the ones described in this blog, making use of Twitter and Medium to target victims,” Darktrace wrote, adding that the group is estimated to have made “millions of dollars in revenue from their malicious activity.”

Similar malware campaigns have been detected on multiple occasions throughout this year. One North Korea-linked operation was found to be using fake Zoom updates to compromise macOS devices at crypto firms. Attackers were reportedly deploying a new malware strain dubbed “NimDoor,” delivered through a malicious SDK update. The multi-stage payload was designed to extract wallet credentials, browser data, and encrypted Telegram files while maintaining persistence on the system.

In another instance, the infamous North Korean hacking group Lazarus was found to be posing as recruiters to target unsuspecting professionals using a new malware strain called “OtterCookie,” which was deployed during fake interview sessions. Earlier this year, a separate study by blockchain forensic firm Merkle Science found that social engineering scams were mostly targeting celebrities and tech leaders through hacked accounts.