Hackers Exploit ‘Microphone Debugging’ to Steal Crypto Assets

Job seekers in cryptocurrency firms have encountered a new cybercriminal scheme aimed at stealing their assets, according to MetaMask developer Taylor Monahan.

? Heads up all—some dudes have a slick, new way of dropping some nasty malware.

Feels infostealer-y on the surface but…its not.?

It’ll really, deeply rekt you.

Pls share this w/ your friends, devs, and multisig signers. Everyone needs to be careful + stay skeptical. ? pic.twitter.com/KRRWGL3GDo

— Tay ? (@tayvano_) December 28, 2024

According to her, fraudulent job offers have spread on LinkedIn, freelancer sites, Discord, and Telegram, purportedly from bitcoin exchanges Kraken, MEXC, Gemini, Meta Corporation, and others. Fake recruiters are seeking candidates for technical specialists, traders, and analysts with salaries ranging from $200,000 to $350,000.

Initially, the victim is invited to a text interview on the Willo website, where they are asked about trends in the crypto market and tasked with developing a business expansion strategy on a limited budget. The final task on organizing team work requires the applicant to record a video response. 

A browser pop-up requests access to the user’s microphone and camera. However, the page then displays an equipment error. To resolve it, the site suggests updating drivers and restarting the browser.

If you follow their instructions, you are fucked.

They vary depending whether you are on Mac/Windows/Linux.

But once you do it, Chrome will prompt you to update/restart to “fix the issue.”

It’s not fixing the issue. It’s fully fucking you. pic.twitter.com/ZEn2HpuAEb

— Tay ? (@tayvano_) December 28, 2024

Following these “recommendations” leads to the installation of a backdoor, granting attackers access to the victim’s devices and enabling them to steal cryptocurrency funds.

The attack affects macOS, Windows, and Linux operating systems.

Monahan did not specify the number of potential victims or the amount of damage.

Earlier, an attack on the Japanese cryptocurrency exchange DMM Bitcoin, resulting in $308 million in damages, also began with a fraudulent recruiter on LinkedIn who compromised an employee of a third-party company with access to the platform’s assets. According to the FBI, state-sponsored North Korean hackers known as TraderTraitor were behind the incident.