By Mark Hunter
1 day agoSun Jul 13 2025 10:00:12
Reading Time: 2 minutes
- Threat actors have created fake AI, gaming, and Web3 startups to pose as legitimate tech firms, according to a report from Darktrace
- Verified social media accounts have been compromised and used to spread malware
- Victims have been tricked into downloading crypto wallet-draining software on Windows and macOS
A new report by cybersecurity firm Darktrace has uncovered a growing trend in which sophisticated scammers are posing as innovative tech startups to trick users into installing malware designed to steal cryptocurrency. These campaigns have leveraged verified accounts on X, professionally designed fake websites, and convincing whitepapers to gain the trust of unsuspecting victims. Once hooked, users are lured into downloading what appears to be legitimate software, only to find their digital wallets emptied and their credentials compromised. The attacks represent the latest development in the cat-and-mouse game between hackers and those trying to prevent their activities.
Shiny New Projects Are Gold-Plated Cons
According to Darktrace, the scam begins with the creation of elaborate fake companies, many branded as artificial intelligence, Web3, or video gaming startups, with names like “Eternal Decay.” These fraudulent ventures are propped up by realistic marketing material hosted across platforms like Medium, GitHub, and Notion, complete with bios, development roadmaps, and blog posts that mimic real startup operations.
Scammers then use hijacked or fake verified X accounts to contact users, often offering exclusive access to beta testing opportunities or crypto bounty programs. Once the victim engages, they are redirected to links that serve malware cloaked as software installers. The software then finds crypto wallets and empties them into the hackers’ pockets.
Malware Disguised as Opportunity
The malware involved is not amateurish; Darktrace reports that it has been signed using stolen certificates to bypass security checks and uses evasion techniques that make it harder for analysts or antivirus programs to detect. After a faux “verification” screen which mimics Cloudflare’s browser check, the software installs quietly in the background, targeting credentials and crypto wallet data stored on both Windows and macOS devices.
Some of the tactics observed mirror previous large-scale phishing operations, including the infamous “Meeten” campaign seen in December 2024. Darktrace emphasized that the scam is not only ongoing but actively evolving, suggesting the operators behind it are adapting as awareness spreads.
This discovery fits into a broader pattern that has been troubling the crypto industry in recent months, namely the rise of crypto “drainers,” malware specifically designed to extract funds from digital wallets without detection. It’s working, too: according to recent research from Chainalysis, the amount of value stolen by drainers has begun to surpass that taken in traditional ransomware attacks. These campaigns often combine social engineering with technical precision, making them harder to spot and more effective at reaching a wide user base through trust-based platforms like X.
