Russian cybercrime group “Crazy Evil” has been implicated in a series of scams targeting cryptocurrency users, including a recent scheme where they impersonated Web3 company “ChainSeeker io” to defraud job seekers.
The group, active since 2021, has reportedly generated over $5 million in illegal revenue through more than 10 social media scams as cited by Wu Blockchain.
How did Crazy Evil Orchestrate the Scam?
The group posted fake job advertisements such as “Blockchain Analyst” on platforms such as LinkedIn, X and CryptoJobsList. These ads lured applications into downloading Grasscall, a malicious video conferencing software.
The software contains information-stealing malware and remote access Trojans (RATs) designed to steal cryptocurrency wallets, passwords and browser data from the victim’s device.
On Windows devices, the fake meeting app installs a RAT along with an infostealer, such as Rhadamanthys, while on Macs, it installs the Atomic (AMOS) Stealer malware.
Modus Operandi
Cybersecurity researchers at Recorded Future’s Insikt Group have identified Crazy Evil as a “traffer team,” specializing in redirecting traffic to malicious phishing pages. The group uses a sophisticated malware toolkit, including Stealc and Atomic macOS Stealer (AMOS), to target both Windows and MacOS systems.
Crazy Evil’s activities extend beyond fake job offers, with the gang also using fake services promoted on social media to trick victims into downloading malware. These scams often involve non-fungible tokens (NFTs), cryptocurrencies, payment cards, and online banking accounts.
Subteams
Crazy Evil is composed of subteams, including AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, each managing phishing pages for various scams.
These scams include fake decentralized communication tools, fake games, fake AI-assisted productivity software, and impersonations of Zoom and WeChat.
Aftermath
In response to the exposure of the “ChainSeeker io” scam, CryptoJobsList removed the fraudulent job listing and warned applicants to scan their devices for malware. While this particular campaign appears to have been terminated, experts advice those who downloaded the software to change their passwords and authentication tokens.
Insikt group recommends deploying endpoint detection and response (EDR) solutions, web filtering, and security awareness training to mitigate the threat posed by Crazy Evil and similar groups.
Also Read: Cardano Whales Exit Amid Market Correction – More Pain Ahead?
