Fake Startups Are Targeting Crypto Users—Here’s How It Works
Security researchers at Darktrace have uncovered a sprawling social engineering campaign that’s been running since late last year. The scammers are posing as legitimate startups—mostly in AI, gaming, and Web3—to trick crypto users into downloading malware. And honestly, it’s pretty convincing stuff.
They’re not just slapping together shady websites. These fake companies have full-blown online presences, complete with professional-looking documentation hosted on platforms like Notion, GitHub, and Medium. There are employee profiles, product roadmaps, even whitepapers. Some have gone as far as creating fake conference presentations, lifting photos from real events (like an Italian tech exhibition) and doctoring them to fit their narrative.
How They Pull It Off
The attackers often start with compromised X (formerly Twitter) accounts, usually ones with verification badges or decent follower counts. From there, they’ll reach out to potential victims—often Web3 employees—through DMs, Telegram, or Discord. The pitch? Cryptocurrency payments for “testing” their software.
But here’s the catch: the “software” is malware designed to steal crypto wallet data. On Windows, it’s often bundled into what looks like a legitimate Electron app, complete with fake registration codes. macOS users get hit with DMG files containing obfuscated scripts that quietly run in the background. Both versions are rigged to evade detection, sometimes even using stolen code-signing certificates to appear legit.
What’s unsettling is how much effort goes into making these fake companies seem real. One, called Eternal Decay, claimed to be a blockchain gaming startup. They even stole gameplay images from an actual game (Zombie Within) and passed them off as their own. Others set up merch stores or linked to real company registrations—just enough to pass a quick Google search.
A Growing List of Fake Brands
Darktrace has identified over a dozen of these phony operations, all likely tied to a group called CrazyEvil. Some keep rebranding—Buzzu became BeeSync, NexLoop turned into NexoraCore—but the playbook stays the same. A few names popping up in their findings:
– **Pollens AI** (and its clones, like Buzzu and Wasper)
– **Cloudsign**, pretending to be a document-signing platform
– **Swox** and **Dexis**, both posing as Web3 social networks
– **KlastAI** and **YondaAI**, riding the AI hype wave
The group’s been at this since at least 2021, and researchers estimate they’ve pulled in millions. Their targets? Mostly crypto users, influencers, and DeFi professionals—anyone with a wallet worth draining.
It’s a reminder that if an offer seems too good to be true, it probably is. Even (or especially) when it comes wrapped in a slick startup facade.