crises and financial exploitation of responders
July 10, 2025. Cryptocurrency users are once again targets of a ongoing social engineering campaign that employs fake startup companies to trick users into downloading malware that can drain digital assets from both Windows and macOS systems. These malicious operations impersonate AI, gaming, and Web3 firms using spoofed social media accounts and project documentation hosted on legitimate platforms like Notion and GitHub. Examples of such malware include stealer malware like Realst and have been adopted by Cado Security as codenamed “Meeten.”
The campaign dates back to December 2024, with a previous iteration using bogus videoconferencing platforms to dupe victims into joining a meeting under the guise of discussing an investment opportunity after approaching them on messaging apps like Telegram. The latest findings from Darktrace reveal that the campaign continues to operate, with evidence of ongoing activity since at least March 2024, including the use of a non-existent “meethub[.]gg” domain forstealer malware like Realst.
The attackers have been observed leveraging compromised X accounts associated with various companies and employees, primarily verifying ones, to approach prospective targets. Each company’s professional服务平台 includes features such as a professional-looking website, professional employee profiles, whitepapers, and roadmaps. Many of these companies are listed below:
- BeeSync (@BeeSyncAI, @AIBeeSync)
- Buzzu (@BuzzuApp, @AI_Buzzu, @AppBuzzu, @BuzzuApp)
- Cloudsign (@cloudsignapp)
- DeXis (@DexisApp)
- KlastAI (@KlastAI)
- Lunelior
- NexLoop (@n NexLoop)
- NexoraCore
- NexVoo (@Nexvoospace)
- Pollens AI (@PollensApp, @PollensApp)
- Slax (@SlaxApp, @Slax_project, @slaxproject)
- Solune (@SoluneApp)
- Swox (@SwoxApp, @Swox_AI, @swox Applying)
- Wasper (@WasperSpace)
- YondaAI (@yondaspace)
The attack chains begin when one of these adversary-controlled accounts threatens a victim through X, Telegram, or Discord, prompting them to test their software for cryptocurrency payment. If the target agrees, they are redirected to a fictitious website where they use their employee to gain access and download either a Windows Electron or an Apple disk image (DMG) file. On Windows systems, the malware demonstrates a Cloudflare verification screen, while macOS users are similarly tricked into deploying Atomic macOS Stealer (AMOS), a known infostealer. The malware then siphons documents and data, exfiltrating details, and transmits them to external servers.
The DMG binary is equipped with shell scripts designed to set up persistence and log application usage and user interactions, then transmit them to a remote server. Darktrace noted that this campaign shares tactical similarities with those orchestrated by a traffancers group called Crazy Evil, known for duplicating malware like StealC, AMOS, and Angel Drainer to hide legitimate companies from victims.
Despite the campaign’s widespread impact, it is unclear whether the incidents could be attributed solely to Crazy Evil or other subteams. The techniques described are akin to those executed by Mad Ike, highlighting the actors’ intent behind these vehicle tactics. This campaign underscores the growing sophistication of cybercrime, where attackers aim to deception users into downloading malicious software while also exploiting these efforts to steal cryptocurrency and disrupt financial institutions. Follow these companies on Twitter and LinkedIn to stay updated with the latest threats and credentials.