Fake Crypto Startups Use Social Media To Spread Wallet-Stealing Malware

HomeNews* Cybercriminals are targeting cryptocurrency users with fake startup companies to distribute Malware.

• The campaign uses realistic websites, social media accounts, and professional-looking documentation to appear legitimate.
• Attackers impersonate AI, gaming, and Web3 companies on platforms such as X, Telegram, and Discord.
• The malware affects both Windows and macOS, stealing crypto wallet data and personal information.
• Victims are lured by offers to test new software for cryptocurrency payment, resulting in their assets being stolen. A sophisticated cybercrime campaign is targeting cryptocurrency users by impersonating new technology companies and tricking them into downloading malware disguised as legitimate software. The fraudulent scheme affects users on Windows and macOS and aims to steal digital assets by convincing victims to interact with fake companies across various social media platforms.

• Advertisement - The operation, detailed by Darktrace researcher Tara Gould, uses spoofed accounts and project materials hosted on trusted sites such as Notion and GitHub. Attackers particularly focus on Artificial Intelligence, gaming, and Web3 themes. “These malicious operations impersonate AI, gaming, and Web3 firms using spoofed social media accounts and project documentation hosted on legitimate platforms like Notion and GitHub,” Gould reported. The campaign has been active since at least March 2024, with notable activity continuing through July 2025.

The attackers frequently use verified and compromised X accounts linked to actual companies or employees, making their fake brands appear more credible to potential victims. Gould noted, “They make use of sites that are used frequently with software companies such as X, Medium, GitHub, and Notion. Each company has a professional looking website that includes employees, product blogs, whitepapers and roadmaps.”

Some of the fictitious companies involved include Eternal Decay, BeeSync, Buzzu, Cloudsign, Dexis, KlastAI, Lunelior, NexLoop, NexoraCore, NexVoo, Pollens AI, Slax, Solune, Swox, Wasper, and YondaAI. Attackers approach targets via direct messages, offering payment in cryptocurrency to test out products. If victims comply, they are sent to crafted websites to download harmful applications.

On Windows, the fake app profiles the user’s machine and runs an installer believed to act as an information thief. On macOS, the malware known as Atomic macOS Stealer (AMOS) collects documents, browser data, and crypto wallet information. The installer also sets up persistence, meaning the malicious application restarts each time the computer is rebooted.

According to Darktrace, the tactic is similar to previous scams identified under the name “Meeten” and is linked to threat groups like “Crazy Evil,” who use similar malware. The campaign demonstrates a continued evolution in the complexity of tactics used to target and defraud cryptocurrency investors.

For more details on the campaign and its methods, visit the full Darktrace report. A technical overview on persistence can be found through Apple’s Launch Agent documentation.

• Advertisement - #### Previous Articles:

• XRP Glitches Trigger Panic as Price Errors Shake Crypto Markets
• Ant International May Add Circle’s USDC to Global Whale Platform
• Bitcoin Hits Record $112,000 as Musk Confirms Wild Crypto Rumors
• New ZuRu macOS Malware Spreads via Trojanized Business Apps
• Bitcoin Hits $111K: 4 Signs Retail Investors Are Returning

• Advertisement -