Russian Scammers Target Crypto Influencers with Infostealers

A new report by Recorded Future has revealed new elements about the sophisticated techniques by which a well-known Russian crypto scamming group operates.

The group, Crazy Evil, is a collective of social engineering specialists tasked with redirecting legitimate traffic to malicious landing pages – commonly called a ‘traffer team.’

Since 2021, the group has been targeting cryptocurrencies, non-fungible tokens (NFTs), smart contracts, and other web3 projects to conduct malicious activity on social media. This activity includes digital asset theft, identity fraud and spreading infostealers.

Recorded Future’s Insikt Group report, published on January 23, uncovered over 10 active scams conducted by the Crazy Evil gang on social media. The scams typically target high-value victims, like tech, gaming and crypto influencers.

The researchers also revealed that the cybercriminal gang uses a sophisticated malware toolkit, including advanced tools like Stealc and Atomic macOS Stealer (AMOS) which target Windows and macOS respectively, ensuring widespread compromise.

Read more: Everything You Need to Know About Infostealers

Crazy Evil, the Growing Crypto Scamming Gang

Crazy Evil is a gang comprising six subteams – AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND. Each team is responsible for managing its own phishing pages associated with various scams aimed at infecting devices with malware.

Active since 2021, Crazy Evil has maintained a presence on low-tier dark web forums and has over 3,000 followers on its public Telegram channel.

“Crazy Evil is specifically interested in heists involving NFTs but has also been observed opportunistically capitalizing on other cryptocurrencies, payment cards, gaming accounts with auctionable and collectible assets, online banking accounts and other financial targets,” the Insikt Group report highlighted.

The gang’s activity has likely grown over the past three months due to a series of exit scams of other similar crypto scammers and traffer teams, such as ‘Marko Polo’ and ‘CryptoLove.’

The gang continues to recruit new affiliates, who are encouraged to submit detailed applications to Crazy Evil via a Telegram bot, which unlocks access to subsequent applications and private channels.

The gang operates two public Telegram channels to distribute information and communicate with the outside world. Two private Telegram channels are also used to organize its scam operations and one private Telegram discussion group for its traffers.

The Insikt Group researchers estimated that the Crazy Evil gang has generated over $5m in illicit revenue and infected tens of thousands of devices with malware worldwide.

Crazy Evil’s Infection Tactics

Insikt Group identified at least 10 active crypto scams that can be attributed to one of the Crazy Evil gang subteams.

These typically involve promoting a fake service on social media, leading to malicious links and downloading malware, including infostealers. The scams detected by the Insikt Group researchers include:

• Voxium, a fake decentralized communication tool built on the Solana cryptocurrency blockchain (attributed to AVLAND)
• Rocket Galaxy (formerly Rocket Legacy), a fake game (attributed to AVLAND)
• TyperDex, a fake AI-assisted productivity software (attributed to TYPED)
• DeMeet, a fake “community developmentˮ platform with message and audio-based chat, event planning and brand loyalty functionalities (attributed to DELAND)
• Zoom and WeChat impersonators (attributed to ZOOMLAND)
• Selenium Finance, a fake digital asset management platform (attributed to DEFI)
• Gatherum, a fake AI-enhanced virtual meeting software (attributed to KEVLAND)

These scam services will lead users to install malicious payloads targeting both Windows and macOS environments.

According to Crazy Evil “worker manualsˮ providing in-depth descriptions of these tactics that the Insikt Group researchers have obtained, these payloads include Stealc, Rhadamanthys, AMOS and Angel Drainer.

The manuals also vividly encourage affiliates to target decentralized finance (DeFi), decentralized applications (DApps) and other web3 and blockchain-based projects.

“Crazy Evil traffers sometimes take days or weeks of reconnaissance time to scope operations, identify targets and initiate engagements”, the researchers added.

The gang’s operations have likely compromised tens of thousands of devices worldwide.

“The threat group’s ability to operate on such a large scale poses a serious risk to both personal data security and the overall stability of the Web3 ecosystem,” the security researchers noted.

Looking ahead, Insikt Group estimated that the groupʼs strong presence on dark web forums, its alliances with rival gangs and malware developers and the robust obfuscation will likely result in more enduring threats that are difficult to detect and neutralize.

“Threat groups like Crazy Evil are resilient to identification and disruption — the biggest threat to their operations comes from internal strife.”

Mitigating Crazy Evil Scams

However, the report outlined some recommended measures to mitigate the threat a group like Crazy Evil poses. These include:

• Deploying advanced endpoint detection and response (EDR) solutions to monitor for and block the execution of known malware families associated with Crazy Evil, such as Rhadamanthys, Stealc, and AMOS
• Deploying web filtering solutions to block access to known malicious domains linked to Crazy Evil as well as suspicious downloads, especially those related to cracked ‘freemium’ software
• Regularly updating threat intelligence feeds with the latest indicators of compromise (IoCs) related to Crazy Evil
• Including in security awareness training specific modules on the risks posed by cryptocurrency-targeted attacks used by Crazy Evil and other crypto scammers

Read now: Scammers Drain $500m from Crypto Wallets in a Year