Crypto Executives Targeted in Sophisticated Spear-Phishing Scheme

A new spear-phishing campaign is targeting executives in the crypto industry through fraudulent interview requests that impersonate journalists from CoinMarketCap. Attackers are using the names and images of real contributors to create a facade of legitimacy, increasing the risk of malware installation, data theft, and loss of cryptocurrency wallets.

Details of the Attack

Threat intelligence analysts have identified that these scammers are using the exact name and profile of a former CoinMarketCap contributor to build trust. The impersonated individual has confirmed they are no longer associated with the organization, but their name and image still appear on the company’s website, giving the phishing attempts a deceptive layer of credibility.

The scam unfolds when targets receive an email inviting them to discuss Web3 innovation. While the email appears to originate from the CoinMarketCap team, it actually comes from a fake domain that is designed solely to send emails. The emails are crafted professionally, raising minimal suspicion, and include a link to schedule a Zoom call using a legitimate Calendly setup, complete with CoinMarketCap branding.

Once the target joins the Zoom call, they encounter two individuals, Igor and Dirk. Dirk impersonates a former CoinMarketCap editor, complete with the actual name and profile picture displayed during the meeting. Following brief introductions, Igor requests that the target change their application’s language setting to Polish, claiming a malfunction in his note-taking app.

Exploiting Zoom’s Features

In a manipulation tactic, Igor engages in casual conversation, referencing past interviews to establish familiarity. He then asks about the target’s operating system, claiming it will help him in changing the language. This seemingly innocuous request leads to a Zoom restart, which now operates in Polish.

Shortly thereafter, a pop-up appears in Polish, requesting permission to allow a remote participant to take control of the screen. Accepting this request grants the attackers complete access to the target’s keyboard and mouse. This access can facilitate malware installation, file exfiltration, or theft of sensitive credentials and cryptocurrency wallets—all while masquerading as routine application interaction.

The attack takes advantage of Zoom’s default remote control feature, often overlooked in corporate environments. Users typically do not suspect malicious intent during a meeting, and distractions can prevent them from noticing anything unusual. Once remote access is granted, deploying malware can occur in mere seconds, making it a highly effective strategy, particularly against professionals in the crypto sector.

Victims of this scheme include high-profile figures in the crypto space, who have publicly warned others about similar attacks. This tactic mirrors the recent trend of ClickFix attacks, where victims are instructed to carry out actions themselves. In this case, however, the attacker manipulates the procedure directly, increasing the danger and unpredictability of the situation.

In summary, the campaign highlights the growing threat of sophisticated phishing tactics in the cryptocurrency sector. Executives must remain vigilant and employ robust security measures to protect themselves from these evolving threats.

For further information, resources such as those from AlienVault can provide insights into the indicators of compromise (IOCs) associated with these attacks. Awareness and education are crucial in combating the risks posed by such deceptive schemes.