A surge in sophisticated crypto-stealing malware is currently sweeping across the internet, with scammers resorting to creating fake AI, gaming, and Web3 startups to deceive unsuspecting victims into downloading malicious software. Darktrace, a prominent cybersecurity firm, has sounded the alarm on these elaborate social engineering tactics being employed by cybercriminals to exploit trust in digital startups.
These attackers are going to great lengths to establish fake companies complete with convincing websites, social media profiles, GitHub repositories, white papers, and even fabricated team pages on platforms like Notion. Many of these fraudulent sites are also linked to verified or compromised X (formerly Twitter) accounts to lend an air of legitimacy. Fake accounts associated with these startups post regular updates, blog content, and product announcements to maintain the façade of authenticity.
Victims are often directly contacted on platforms like X, Telegram, or Discord, with the scammers posing as employees of the fake firms and offering cryptocurrency in exchange for testing their software. Once users are lured in, they are provided with a registration code and directed to download malware-infected applications from professionally designed websites.
One specific scheme identified by Darktrace involved a sham blockchain game named “Eternal Decay” that used altered images to claim conference participation and listed fake investors. Images from another game called “Zombie Within” were also unlawfully employed. Other deceitful startups such as Pollens AI, Swox, and Buzzu have been noted, each with nearly identical branding and codebases.
The malware being distributed targets both Windows and macOS users, capable of stealing crypto wallet credentials and personal information through the use of tools like the Realst and Atomic Stealer malware families. Darktrace’s technical analysis reveals that on Windows systems, attackers leverage Electron-based apps to conduct system profiling, download malicious files, and execute them discreetly.
On macOS, a disguised DMG file installs the Atomic Stealer, which harvests browser data, wallet credentials, and other sensitive files before transmitting them to servers controlled by the attackers. The malware incorporates advanced evasion techniques like stolen software signing certificates, obfuscation, and persistent background execution to evade detection.
While it remains uncertain whether the group behind this campaign is directly affiliated with the notorious “CrazyEvil” malware group, Darktrace warns that the tactics employed bear a striking resemblance. The threat actors are utilizing newer malware variants and more elaborate deception methods to ensnare unsuspecting victims.
In a broader context, the crypto-targeted scams are on the rise, with a surge in highly coordinated malware and credential breaches driving 2025 towards record-breaking crypto losses. Kaspersky’s Financial Cyberthreats report indicates an 83.4% increase in crypto phishing detections and a 3.6x rise in mobile banking Trojan attacks year-over-year, signaling a shift in attacker focus from traditional banking malware to crypto wallets.
Noteworthy incidents include the emergence of the sophisticated mobile malware strain “SparkKitty,” which has been active since February 2024, masquerading as TikTok mods or crypto apps to steal seed phrases stored in user photo galleries. Additionally, cybersecurity analysts recently discovered malware originating from Procolored, a Chinese printer manufacturer, which had infiltrated official drivers with a crypto-stealing remote access trojan, resulting in the theft of 9.3 BTC.
Furthermore, a massive data breach revealed over 16 billion login credentials, many obtained through infostealer malware, heightening risks for crypto users managing their assets online. These incidents, coupled with CertiK’s estimation of $2.2 billion lost to crypto attacks in the first half of 2025, underscore the increasing sophistication of cybercrime targeting digital assets.
As cybercriminals continue to evolve their tactics, vigilance and caution are paramount for individuals navigating the crypto landscape to protect themselves from falling victim to these malicious schemes.