{"id":94880,"date":"2026-03-03T14:57:12","date_gmt":"2026-03-03T11:57:12","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=94880"},"modified":"2026-03-03T15:00:24","modified_gmt":"2026-03-03T12:00:24","slug":"hackers-pose-as-venture-capitalists-to-target-crypto-specialists","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-pose-as-venture-capitalists-to-target-crypto-specialists\/","title":{"rendered":"Hackers Pose as Venture Capitalists to Target Crypto Specialists"},"content":{"rendered":"<p>Analysts at Moonlock Lab <a href=\"https:\/\/moonlock.com\/fake-vcs-target-crypto-talent-clickfix-campaign\">have uncovered<\/a> a large-scale attack on <a href=\"https:\/\/forklog.com\/en\/news\/what-is-web3\">Web3<\/a> developers and crypto specialists. Hackers disguise themselves as venture capitalists and find victims on LinkedIn.<\/p>\n<p>The perpetrators praise the specialists&#8217; projects and propose collaboration. They then send links to fake video conferences that infect computers with viruses.<\/p>\n<h2 class=\"wp-block-heading\">The Illusion of Legitimate Business<\/h2>\n<p>The attackers created three fictitious crypto funds: SolidBit Capital, MegaBit, and Lumax Capital. The websites of these organizations appear credible, featuring corporate history, investment portfolios, and lists of executives. The images of the staff were generated by a neural network.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"620\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-c0982a829c9d55fc-7755136897288826-1024x620.png\" alt=\"Megabit-AI-images-of-investment-team\" class=\"wp-image-276123\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-c0982a829c9d55fc-7755136897288826-1024x620.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-c0982a829c9d55fc-7755136897288826-300x182.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-c0982a829c9d55fc-7755136897288826-768x465.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-c0982a829c9d55fc-7755136897288826.png 1238w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Moonlock Lab.<\/figcaption><\/figure>\n<p>The fraudsters contact specialists from fake accounts, posing as top managers of these funds. The dialogue begins with compliments on the victim&#8217;s professional achievements.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Infection via ClickFix<\/h2>\n<p>The attackers quickly move the conversation to messengers and invite the victim to a video call. The victim receives a link to the Calendly service. The address redirects the user to an exact copy of the Zoom, Google Meet, or similar service site.<\/p>\n<p>A Cloudflare verification window pops up on the screen. The system asks the user to check a box to confirm they are not a robot. This is the hacker technique known as ClickFix.\u00a0<\/p>\n<p>Clicking the button silently copies malicious code to the clipboard. The site displays an animated instruction with a timer, asking the user to open the system terminal, paste the copied text, and press Enter.\u00a0<\/p>\n<p>The code automatically detects the operating system:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>On Windows<\/strong>, a hidden process runs directly in RAM. The virus does not save files to the hard drive, allowing it to bypass security systems;<\/li>\n<li><strong>On macOS<\/strong>, the script checks for Python, quietly downloads the necessary libraries, and embeds itself in the system.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-e4d3dbea74f5ded6-7755169905043329.webp\" alt=\"Screenshot 2026-03-03 134902\" class=\"wp-image-276124\"\/><figcaption class=\"wp-element-caption\">Source: Moonlock Lab.<\/figcaption><\/figure>\n<p>In some cases, hackers sent victims an application that fully mimics the interface of the real Zoom on Mac. The program simulates a login window, collects passwords, and sends them to the fraudsters&#8217; Telegram bot.<\/p>\n<h2 class=\"wp-block-heading\">Links to North Korean Hackers<\/h2>\n<p>The fake websites&#8217; addresses are registered under the name Anatoly Bigdash from Boston, USA. Experts doubt this person exists.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-44b03c4772b2779b-7755211035707946.webp\" alt=\"Screenshot 2026-03-03 135225\" class=\"wp-image-276125\"\/><figcaption class=\"wp-element-caption\">Source: Moonlock Lab.<\/figcaption><\/figure>\n<p>Researchers noted a similarity in tactics with the methods of the UNC1069 group. This team has been hacking crypto projects since 2018. Analysts at <a href=\"https:\/\/forklog.com\/en\/news\/dydx-developer-accounts-breached-malicious-ai-chrome-extensions-and-other-cybersecurity-news\">Mandiant<\/a> previously linked it to North Korea. The criminals use identical structures for malicious links and similar deception scenarios through fake video calls.<\/p>\n<p>To protect against attacks, specialists recommend checking the registration dates of the interlocutors&#8217; domains. Legitimate services never ask users to enter commands in the terminal to verify identity or start a broadcast. The deception can be detected at the stage of clicking on external links.<\/p>\n<p>Back in June 2025, investment partner Mehdi Farooq of the venture firm Hypersphere <a href=\"https:\/\/forklog.com\/en\/news\/hypersphere-partner-loses-savings-after-zoom-conference-scam\">fell<\/a> victim to a phishing attack via a fake Zoom call.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Analysts at Moonlock Lab have uncovered a large-scale attack on Web3 developers and crypto specialists. Hackers disguise themselves as venture capitalists.<\/p>\n","protected":false},"author":1,"featured_media":94881,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Hackers pose as venture capitalists to target crypto specialists on LinkedIn.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1111,1202],"class_list":["post-94880","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-cybersecurity","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"143","promo_type":"1","layout_type":"1","short_excerpt":"Hackers pose as venture capitalists to target crypto specialists on LinkedIn.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/94880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=94880"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/94880\/revisions"}],"predecessor-version":[{"id":94882,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/94880\/revisions\/94882"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/94881"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=94880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=94880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=94880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}