Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
Ddos 
In a revelation from Darktrace, researchers have uncovered a highly coordinated and ongoing cybercrime campaign that uses fake software startups to lure cryptocurrency users into downloading malware. These cybercriminals leverage the illusion of legitimacy—complete with professional websites, verified social media accounts, GitHub projects, and even fake merchandise stores—to disguise their true intent: stealing crypto wallets.
“Threat actors are creating fake startup companies with AI, gaming, video meeting software, Web3 and social media themes,” the report states.
The attackers mimic real software startups, crafting company profiles on platforms like X (formerly Twitter), Medium, GitHub, Notion, and even Gitbook. These profiles showcase everything from fake employee bios and product roadmaps to whitepapers and investor lists. Some even register fake company details with legitimate business registries such as Companies House in the UK.
One fake company, Eternal Decay, even doctored photos of an Italian exhibition to fake a conference appearance and falsely promote their nonexistent blockchain-powered game.
The campaign often begins on X, Telegram, or Discord, where fake company “employees” contact victims, offering crypto payments to test their software. The victims are then guided to download the malware from the company’s polished-looking website using a provided registration code.
For Windows, victims receive a malicious Electron application. For macOS, they are handed a DMG file containing the infamous Atomic Stealer malware.
Once the Electron app is launched, it presents a Cloudflare verification screen and then quietly downloads a payload—often signed with stolen code signing certificates from real companies like Jiangyin Fengyuan Electronics Co., Ltd. and Paperbucketmdb ApS (the latter revoked in June 2025).
“The malware begins by profiling the system… If verification is successful, an executable or MSI file is downloaded and executed quietly.”
Python is then installed in a temporary directory and controlled remotely via command-and-control (C2) infrastructure, executing commands that typically steal sensitive data and crypto credentials.
On macOS, victims download a DMG containing a bash script and a multiarch binary. The script uses AppleScript to move and execute the hidden .SwoxApp binary in /tmp/. This binary is the Atomic Stealer, a well-known macOS info stealer that targets:
- Browser data
- Cookies
- Documents
- Crypto wallets
The stolen data is compressed into out.zip and exfiltrated via POST request to 45[.]94[.]47[.]167/contact. Persistence is achieved via a LaunchAgent plist configuration, ensuring the malware runs at every login.
Darktrace also links the tactics to “traffer” groups—cybercriminal operations that generate traffic to malware using SEO, YouTube ads, and fake software. A notable group, CrazyEvil, has been linked to similar schemes targeting crypto users, influencers, and gaming communities.
“While it is unclear if the campaigns described in this blog can be attributed to CrazyEvil… the techniques described are similar in nature.”
Darktrace has flagged dozens of fake entities. Among them:
- Pollens AI – Collaborative AI tool
- Swox – A “next-gen social network” on Web3
- Eternal Decay – Fake blockchain-powered game
- Buzzu – Rebranded version of Pollens AI
- Lunelior, Wasper, Slax, NexLoop – All share design/codebase similarities
Each entity shares suspicious overlaps in design, source code, and social media activity, pointing to a central orchestrator behind the scheme.
“This campaign highlights the efforts that threat actors will go to make these fake companies look legitimate in order to steal cryptocurrency from victims,” Darktrace concludes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
