Crypto Wallets Under Attack: Social Scams Uncovered
In Brief
A sophisticated cybercrime wave is targeting crypto users through fake companies, social media scams, and malware-laced apps designed to drain digital wallets.
Cryptocurrency users are once again in the crosshairs of an increasingly sophisticated cybercrime campaign. According to new findings by Darktrace, malicious actors are exploiting social media, fake startup companies, and legitimate platforms to trick users into downloading wallet-draining malware.
This elaborate social engineering scheme, which first came to light in late 2024, has morphed into a sprawling network of false identities, imitation tech firms, and weaponized communication channels, all designed to steal digital assets. By mimicking the aesthetic and behavior of real AI, gaming, and Web3 companies, scammers have managed to breach the defenses of hundreds of unsuspecting users.
A Familiar Yet Evolving Threat
Almost a year ago, cybersecurity firm Cado Security Labs uncovered a campaign targeting Web3 employees with fraudulent meeting platforms. Known as the “Meeten” campaign, it used fake video conferencing software to deliver malware called Realst. Victims were invited to join fabricated meetings under the guise of partnership or investment discussions. Once they downloaded the software, their devices were compromised.
Darktrace has now confirmed that this campaign remains active in 2025. The tactics have expanded beyond video apps to include fake AI, gaming, and social media firms.
Tara Gould, a Darktrace researcher, stated that these malicious operations “impersonate AI, gaming, and Web3 firms” using spoofed social media accounts and project documentation hosted on legitimate platforms.
Fictional Startups, Real Consequences
The playbook is disturbingly detailed. Cybercriminals construct entire fake companies, complete with convincing websites, blog posts, whitepapers, and even fake employee profiles. X (formerly Twitter), Medium, GitHub, and Notion are routinely used to host project content, technical documentation, and roadmaps.
Some of the most persuasive scams rely on compromised verified X accounts that belong to real individuals or firms. These accounts, with thousands of followers and years of activity, lend the scammers credibility.
Once a fake company is set up, the attackers launch full-scale marketing efforts. Posts about software development milestones, event appearances, and merchandise stores fill their feeds to boost authenticity.
A prominent example is a fictional blockchain game studio called “Eternal Decay.” The fake company used edited photos to suggest it was presenting at major conferences, despite no such game existing. Its GitHub account included cloned open-source projects disguised as original code. Even a listing from the UK’s Companies House was forged by linking to a similarly named real firm.
How Victims Are Targeted
The attack often begins on platforms like X, Discord, or Telegram. A supposed employee reaches out, offering the target a chance to test early software in exchange for cryptocurrency.
The victim is guided to a download page, provided with a registration code, and instructed to install the application. Depending on the system, they download either a macOS DMG or a Windows Electron app. These binaries contain Realst or similar stealer malware.
From there, the malware quietly infiltrates the system. It extracts browser data, authentication tokens, passwords, and, most importantly, private keys for crypto wallets. Users often don’t realize their wallets have been compromised until their funds are gone.
The GrassCall Variant
The attack vector has not remained static. A related campaign dubbed “GrassCall” recently surfaced, targeting job seekers in the Web3 space. The malware was embedded in a fraudulent meeting app promoted through fake job listings and interviews. Victims who downloaded the software unknowingly allowed malware to access sensitive data on their devices.
This variation, attributed to a Russian-speaking “traffer team” known as Crazy Evil, relied on elaborate fake company personas. In one instance, the scammers posed as “ChainSeeker.io,” building a full suite of fake social media accounts and professional websites. They even paid for premium listings on job sites like LinkedIn, WellFound, and CryptoJobsList to lure Web3 professionals into their trap.
Victims who took part in these fake interviews soon found their wallets emptied. A Telegram support group was formed by those affected, offering advice on malware removal and system recovery.
A $650 Million Wake-Up Call
The risk isn’t limited to individuals. Federal authorities have also cracked down on large-scale scams exploiting the crypto space. Earlier this year, the U.S. Department of Justice unsealed indictments against Michael Shannon Sims and Juan Carlos Reynoso, the alleged masterminds behind OmegaPro, a global crypto pyramid scheme.
Operating between 2019 and 2023, OmegaPro promised 300% returns over 16 months through forex trading. Investors were enticed via social media, with Sims and Reynoso showcasing luxurious lifestyles and even projecting the company logo onto the Burj Khalifa to feign legitimacy.
IRS Chief of Criminal Investigations Guy Ficco stated that the scam “promised financial freedom but delivered financial ruin.” The two men now face charges of conspiracy to commit wire fraud and money laundering, each carrying up to 20 years in prison.
After claiming to have been hacked, OmegaPro directed victims to a new platform, Broker Group, from which users were similarly unable to withdraw their funds.
The Role of Social Media in Financial Crime
The persistence and effectiveness of these scams underscore the darker potential of social media platforms in facilitating financial crime. By combining verified accounts, AI-generated content, cloned websites, and stolen code, these scammers create ecosystems that closely mimic real companies. The use of platforms like GitHub and Notion adds technical legitimacy to the ruse.
Meanwhile, platforms like X and Discord allow direct communication with potential victims. The informal nature of these platforms often reduces skepticism, particularly in the crypto and Web3 communities where outreach and collaboration are commonplace.
Warnings and Defensive Measures
Cybersecurity experts advise users to remain vigilant when approached for beta testing or job offers related to crypto projects. Even if a project appears legitimate, users should double-check company records, domain registrations, and the history of social media accounts. Downloading software from unfamiliar sources should be avoided entirely unless verified through trusted channels.
Joao Wedson, CEO of Alphractal, warned users that “low-volume attacks like these can easily slip under the radar” but still pose a substantial threat. By mimicking real software companies, these campaigns not only exploit technical vulnerabilities but also human trust.
In Summary
The draining of crypto wallets via sophisticated social media scams is not a new phenomenon, but it is becoming more dangerous and far-reaching. The rise of AI and decentralized finance has expanded the attack surface for bad actors, enabling them to construct intricate lies across multiple platforms.
Darktrace’s latest findings reveal that the threat is not only persistent but evolving, with fake firms and malware delivery mechanisms growing more complex. With fake job interviews, fraudulent software downloads, and phony crypto platforms all in play, users must navigate the crypto landscape with increasing caution.
Until platforms bolster account verification and authentication, and users adopt stricter security hygiene, these elaborate schemes will likely continue to claim victims. As always, if something sounds too good to be true in crypto, it probably is.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
